Re: [Pki-devel] [PATCH] 0120..0121 Remove pki-ipa-retrieve-key script

[Fraser Tweedale]

On Thu, Jun 02, 2016 at 11:45:43PM -0500, Endi Sukma Dewata wrote:
> On 5/31/2016 11:45 PM, Fraser Tweedale wrote:
> > G'day comrades,
> > 
> > Please review the attached two patches, which...
> > 
> > (Patch 0120)
> > 
> > - provide for passing of configuration (from CS.cfg) to KeyRetriever
> >   implementations
> > 
> > - generalise IPACustodiaKeyRetriever to ExternalProcessKeyRetriever,
> >   which executes a configured executable rather than a hardcoded one
> > 
> > (Patch 0121)
> > 
> > - remove pki-ipa-retrieve-key script; it is being moved to FreeIPA
> >   repo
> > 
> > Cheers,
> > Fraser
> 
> ACK.
> 
> Separate issue. Instead of returning multiple binary attributes delimited
> with 0 byte through standard output, it might be better to use JSON file
> instead. So the command can be defined something like this:
> 
> features.authority.keyRetrieverConfig.exec=/usr/libexec/pki-ipa-retrieve-key
> -o {output}
> 
> The ExternalProcessKeyRetriever will replace the {output} with a temporary
> file, then later parse the result from that file.
> 
Thanks Endi; pushed to master:

419ca3000142c60f176aabc68a2c5c3a1a3c1ea9 Lightweight CAs: remove 
pki-ipa-retrieve-key script
f11e0b372e3a0736050dd9e2858fce3178171ee6 Lightweight CAs: generalise 
subprocess-based key retrieval

I agree with the JSON enhancement, but not with using a temporary
file; we can just send the JSON through stdout.  I filed ticket:
https://fedorahosted.org/pki/ticket/2351

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

[Fraser Tweedale]

On Thu, Jun 02, 2016 at 08:02:35PM -0500, Endi Sukma Dewata wrote:
> On 5/17/2016 12:20 AM, Fraser Tweedale wrote:
> > Hi all,
> > attached patch fixes https://fedorahosted.org/pki/ticket/2332
> > 
> > Cheers,
> > Fraser
> 
> Assuming an identical CA cannot be created to replace the old one, HTTP 410
> Gone is fine. If it's possible, it should be HTTP 404 Not Found. ACK.
>
Authority IDs are random UUIDs, so I think we can safely say that
Gone means Gone :)

Thanks for reviewing!
Pushed to master (443ad5e35e106f84b5439ee7d2861ccd5d6245f3)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0123 Do not attempt cert update unless signing key is present

[Fraser Tweedale]

On Tue, Jun 14, 2016 at 07:40:12PM -0500, Endi Sukma Dewata wrote:
> On 6/13/2016 9:38 PM, Fraser Tweedale wrote:
> > Hi all,
> > 
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2359.
> > Please review for inclusion in 10.3.3.
> > 
> > Thanks,
> > Fraser
> 
> It looks like the initSignUnit() is only called with retrieveKeys=true in
> init(). So the code that starts the key retriever thread probably can be
> moved out, becoming something like this:
> 
>   initDefCaAttrs();
> 
>   try {
>   initSignUnit();
>   checkForNewerCert();
> 
>   } catch (CAMissingCertException | CAMissingKeyException e) {
>   // start key retriever thread
> 
>   } catch (EBaseException e) {
>   ...
>   }
> 
> I think it would clarify a little bit how the missing cert/key is handled.
> 
Yes, that will be a nice refactor.  I may send a patch for that soon.

> So if I understand correctly if the cert/key is missing the LWCA object will
> still be created and registered, but it will be disabled (hasKeys=false)?
> 
> When the key retriever thread is complete, will it automatically
> reinitialize and enable the LWCA object?
> 
Yes to both question.  The bug was that an exception could be thrown
when constructing the LWCA object (thus it was not registered).
Key retrieval had been initiated and successfully retrieved the key,
but there was no LWCA object to reinitialise.

> Regardless, feel free to push the patch as is.
> 
Thanks, pushed to master (41aef5254c20301851716ef46b614d185b33a87b)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0122 Modify ExternalProcessKeyRetriever to read JSON

[Fraser Tweedale]

Hi Endi et al,

Attached patch changes ExternalProcessKeyRetriever to read JSON data
(https://fedorahosted.org/pki/ticket/2351).  Would be nice to get
this into 10.2.2 because it will simplify IPA custodia retrieval
helper.

I am using Jackson for JSON parsing.  This is already an implicit
dependency, but should I also add it spec file as explicit
dependency?

Cheers,
Fraser
From 7183cece34b766b5e1db6837291151b4d58aa9c9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Sat, 4 Jun 2016 20:49:38 +1000
Subject: [PATCH] Modify ExternalProcessKeyRetriever to read JSON

The ExternalProcessKeyRetriever currently uses a hackish format
where the certificate and PKIArchiveOptions data are separated by a
null byte.  Update the code to expect JSON instead.

No backwards compatibility is provided because at time of writing
the ExternalProcessKeyRetriever is only used in a FreeIPA feature
still under development.

Fixes: https://fedorahosted.org/pki/ticket/2351
---
 base/ca/src/CMakeLists.txt | 15 +
 .../netscape/ca/ExternalProcessKeyRetriever.java   | 37 +-
 2 files changed, 37 insertions(+), 15 deletions(-)

diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
index 
1817dacfbacaeb2635db2550e32ff62c26d628ef..2a43c8dbb4f88c22df244bb752ea963b2f0d646c
 100644
--- a/base/ca/src/CMakeLists.txt
+++ b/base/ca/src/CMakeLists.txt
@@ -38,6 +38,20 @@ find_file(COMMONS_LANG_JAR
 /usr/share/java
 )
 
+find_file(JACKSON_CORE_JAR
+NAMES
+jackson-core-asl.jar
+PATHS
+/usr/share/java/jackson
+)
+
+find_file(JACKSON_MAPPER_JAR
+NAMES
+jackson-mapper-asl.jar
+PATHS
+/usr/share/java/jackson
+)
+
 find_file(JAXRS_API_JAR
 NAMES
 jaxrs-api.jar
@@ -81,6 +95,7 @@ javac(pki-ca-classes
 org/dogtagpki/server/ca/*.java
 CLASSPATH
 ${COMMONS_CODEC_JAR} ${COMMONS_IO_JAR} ${COMMONS_LANG_JAR}
+${JACKSON_CORE_JAR} ${JACKSON_MAPPER_JAR}
 ${JSS_JAR} ${SYMKEY_JAR}
 ${LDAPJDK_JAR}
 ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR}
diff --git a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java 
b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
index 
6aee9716e1e5953018ed4c3f3316c9b7d4c88a45..a1b77485284d699bbb524bfc64b3c348663c4c1e
 100644
--- a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
+++ b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
@@ -18,6 +18,8 @@
 
 package com.netscape.ca;
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.lang.Process;
 import java.lang.ProcessBuilder;
 import java.util.Collection;
@@ -26,6 +28,9 @@ import java.util.Stack;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.ArrayUtils;
 
+import org.codehaus.jackson.map.ObjectMapper;
+import org.codehaus.jackson.JsonNode;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -65,21 +70,7 @@ public class ExternalProcessKeyRetriever implements 
KeyRetriever {
 int exitValue = p.waitFor();
 if (exitValue != 0)
 continue;
-
-/* Read a PEM-encoded certificate and a base64-encoded
- * PKIArchiveOptions containing the wrapped private key,
- * separated by a null byte.
- */
-byte[] output = IOUtils.toByteArray(p.getInputStream());
-int splitIndex = ArrayUtils.indexOf(output, (byte) 0);
-if (splitIndex == ArrayUtils.INDEX_NOT_FOUND) {
-CMS.debug("Invalid output: null byte not found");
-continue;
-}
-return new Result(
-ArrayUtils.subarray(output, 0, splitIndex),
-ArrayUtils.subarray(output, splitIndex + 1, output.length)
-);
+return parseResult(p.getInputStream());
 } catch (Throwable e) {
 CMS.debug("Caught exception while executing command: " + e);
 } finally {
@@ -89,4 +80,20 @@ public class ExternalProcessKeyRetriever implements 
KeyRetriever {
 CMS.debug("Failed to retrieve key from any host.");
 return null;
 }
+
+/* Read a PEM-encoded certificate and a base64-encoded
+ * PKIArchiveOptions containing the wrapped private key.
+ * Data is expected to be a JSON object with keys "certificate"
+ * and "wrapped_key".
+ */
+private Result parseResult(InputStream in) throws IOException {
+JsonNode root = (new ObjectMapper()).readTree(in);
+String cert = root.path("certificate").getTextValue();
+byte[] pao = root.path("wrapped_key").getBinaryValue();
+if (cert == null)
+throw new RuntimeException(&q

Re: [Pki-devel] [PATCH] 0116 Fix LDAP schema violation when instance name contains '_'

[Fraser Tweedale]

On Tue, May 31, 2016 at 11:07:51AM -0500, Endi Sukma Dewata wrote:
> On 5/29/2016 10:25 PM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2343
> > 
> > Cheers,
> > Fraser
> 
> ACK.
> 
Thanks Endi!  Pushed to master
(a40139d5f21139d31b62d3c35002b454131245f1)

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0116 Fix LDAP schema violation when instance name contains '_'

[Fraser Tweedale]

The attached patch fixes https://fedorahosted.org/pki/ticket/2343

Cheers,
Fraser
From a40139d5f21139d31b62d3c35002b454131245f1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 30 May 2016 12:17:12 +1000
Subject: [PATCH] Fix LDAP schema violation when instance name contains '_'

The instance name is used in NSSDB key nicknames, which are stored
in the authorityKeyNickname attribute for mapping lightweight CAs to
their keys.  The schema was PrintableString, which does not permit
'_', causing LDAP syntax errors if the instance name contains '_'.

To avoid this issue, change the attribute syntax to IA5String.
Existing instances should be largely unaffected.  The schema update
can be successfully applied even for existing attributes, because
PrintableString and IA5String share the same underlying
representation in 389DS.

Fixes: https://fedorahosted.org/pki/ticket/2343
---
 base/server/share/conf/schema-authority.ldif | 2 +-
 base/server/share/conf/schema.ldif   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/base/server/share/conf/schema-authority.ldif 
b/base/server/share/conf/schema-authority.ldif
index 
fd3c4fa225b036142a9aa4e99c65697365160dfd..1102b53378be55181c4d5dd5f073cbede34bc974
 100644
--- a/base/server/share/conf/schema-authority.ldif
+++ b/base/server/share/conf/schema-authority.ldif
@@ -1,6 +1,6 @@
 dn: cn=schema
 attributeTypes: ( authorityID-oid NAME 'authorityID' DESC 'Authority ID' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'user defined' )
-attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 
'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE 
X-ORIGIN 'user-defined' )
+attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 
'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE 
X-ORIGIN 'user-defined' )
 attributeTypes: ( authorityParentID-oid NAME 'authorityParentID' DESC 
'Authority Parent ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE 
X-ORIGIN 'user defined' )
 attributeTypes: ( authorityEnabled-oid NAME 'authorityEnabled' DESC 'Authority 
Enabled' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user 
defined' )
 attributeTypes: ( authorityDN-oid NAME 'authorityDN' DESC 'Authority DN' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' )
diff --git a/base/server/share/conf/schema.ldif 
b/base/server/share/conf/schema.ldif
index 
2fbc86bf181d81a2b2b32f0130543124c33607ae..828d94b31afe54a97dd1c8a416afeb41ad4ca432
 100644
--- a/base/server/share/conf/schema.ldif
+++ b/base/server/share/conf/schema.ldif
@@ -677,7 +677,7 @@ dn: cn=schema
 changetype: modify
 add: attributeTypes
 attributeTypes: ( authorityID-oid NAME 'authorityID' DESC 'Authority ID' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'user defined' )
-attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 
'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE 
X-ORIGIN 'user-defined' )
+attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 
'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE 
X-ORIGIN 'user-defined' )
 attributeTypes: ( authorityParentID-oid NAME 'authorityParentID' DESC 
'Authority Parent ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE 
X-ORIGIN 'user defined' )
 attributeTypes: ( authorityEnabled-oid NAME 'authorityEnabled' DESC 'Authority 
Enabled' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user 
defined' )
 attributeTypes: ( authorityDN-oid NAME 'authorityDN' DESC 'Authority DN' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' )
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

[Fraser Tweedale]

The attached patch fixes https://fedorahosted.org/pki/ticket/2285.
See commit message and bz1323400[1] for full history and details.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1323400

The fix should be merged to master and DOGTAG_10_2_BRANCH, and a new
10.2.x release cut for f23.

I have an f23 COPR build containing the fix for anyone wishing to
test:
https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/packages/

Huge props to Adam Williamson for doing a lot of legwork in tracking
down the cause of this issue.

Thanks,
Fraser
From 4cbaf297690bf95fffc864cb109bdd6ae49c9dc3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 22 Jun 2016 13:34:01 +1000
Subject: [PATCH] Add profiles container to LDAP if missing

CMS startup was changed a while back to wait for
LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem
initialisation waits for all known profiles to be loaded by the LDAP
persistent search thread.  If the ou=certificateProfiles container
object does not exist, startup hangs.

This can cause a race condition in FreeIPA upgrade.  FreeIPA
switches the Dogtag instance to the LDAPProfileSubsystem and
restarts it.  The restart fails because the container object does
not get added until after the restart.

Update LDAPProfileSubsystem to add the container object itself, if
it is missing, before commencing the persistent search.

Fixes: https://fedorahosted.org/pki/ticket/2285
---
 .../cmscore/profile/LDAPProfileSubsystem.java | 19 +++
 1 file changed, 19 insertions(+)

diff --git 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
 
b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
index 
28b34cda889cc6c2eba4fc3392863df36717fa14..6dea1a0d88beaefeea489ea58ad9ad13d2da8bd7
 100644
--- 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+++ 
b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
@@ -27,6 +27,7 @@ import java.util.TreeSet;
 import java.util.concurrent.CountDownLatch;
 
 import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
 import netscape.ldap.LDAPConnection;
 import netscape.ldap.LDAPDN;
 import netscape.ldap.LDAPEntry;
@@ -400,6 +401,23 @@ public class LDAPProfileSubsystem
 initialLoadDone.countDown();
 }
 
+private void ensureProfilesOU(LDAPConnection conn) throws LDAPException {
+try {
+conn.search(dn, LDAPConnection.SCOPE_BASE, "(objectclass=*)", 
null, false);
+} catch (LDAPException e) {
+if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) {
+CMS.debug("Adding LDAP certificate profiles container");
+LDAPAttribute[] attrs = {
+new LDAPAttribute("objectClass", "organizationalUnit"),
+new LDAPAttribute("ou", "certificateProfiles")
+};
+LDAPAttributeSet attrSet = new LDAPAttributeSet(attrs);
+LDAPEntry entry = new LDAPEntry(dn, attrSet);
+conn.add(entry);
+}
+}
+}
+
 public void run() {
 int op = LDAPPersistSearchControl.ADD
 | LDAPPersistSearchControl.MODIFY
@@ -416,6 +434,7 @@ public class LDAPProfileSubsystem
 forgetAllProfiles();
 try {
 conn = dbFactory.getConn();
+ensureProfilesOU(conn);
 LDAPSearchConstraints cons = conn.getSearchConstraints();
 cons.setServerControls(persistCtrl);
 cons.setBatchSize(1);
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

[Fraser Tweedale]

On Tue, Jun 21, 2016 at 07:29:22AM +0200, Jan Cholasta wrote:
> On 18.6.2016 02:38, Fraser Tweedale wrote:
> > On Fri, Jun 17, 2016 at 03:21:07PM +0200, Jan Cholasta wrote:
> > > On 17.6.2016 09:34, Fraser Tweedale wrote:
> > > > On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote:
> > > > > Hi,
> > > > > 
> > > > > On 6.5.2016 08:01, Fraser Tweedale wrote:
> > > > > > Hullo all,
> > > > > > 
> > > > > > FreeIPA Lightweight CAs implementation is progressing well.  The
> > > > > > remaining big unknown in the design is how to do renewal.  I have
> > > > > > put my ideas into the design page[1] and would appreciate any and
> > > > > > all feedback!
> > > > > > 
> > > > > > [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal
> > > > > > 
> > > > > > Some brief commentary on the options:
> > > > > > 
> > > > > > I intend to implement approach (1) as a baseline.  Apart from
> > > > > > implementing machinery in Dogtag to actually perform the renewal -
> > > > > > which is required for all the approaches - it's not much work and
> > > > > > gets us over the "lightweight CAs can be renewed easily" line, even
> > > > > > if it is a manual process.
> > > > > > 
> > > > > > For automatic renewal, I am leaning towards approach (2).  Dogtag
> > > > > > owns the lightweight CAs so I think it makes sense to give Dogtag
> > > > > > the ability to renew them automatically (if configured to do so),
> > > > > > without relying on external tools i.e. Certmonger.  But as you will
> > > > > > see from the outlines, each approach has its upside and downside.
> > > > > 
> > > > > I would prefer (3), as I would very much like to avoid duplicating
> > > > > certmonger's functionality in Dogtag.
> > > > > 
> > > > > Some comments on the disadvantages:
> > > > > 
> > > > >   * "Proliferation of Certmonger tracking requests; one for each
> > > > > FreeIPA-managed lightweight CA."
> > > > > 
> > > > > I don't think this is an actual issue, as it's purely cosmetic.
> > > > > 
> > > > >   * "Either lightweight CA creation is restricted to the renewal 
> > > > > master, or
> > > > > the renewal master must observe the creation of new lightweight CAs 
> > > > > and
> > > > > start tracking their certificate."
> > > > > 
> > > > > IMO this doesn't have to be done automatically in the initial
> > > > > implementation. You could extend ipa-certupdate to set up certmonger 
> > > > > for
> > > > > lightweight CAs and have admins run it manually on masters after 
> > > > > adding a
> > > > > new lightweight CA. They will have to run it anyway to get the new
> > > > > lightweight CA certificate installed in the system, so it should be 
> > > > > fine to
> > > > > do it this way.
> > > > > 
> > > > I have updated the renew_ca_cert post-save script to perform the
> > > > database update necessary for CA replicas to pick up the new cert.
> > > > What remains is the command to tell certmonger to track the CA.
> > > > 
> > > > You mentioned ipa-certupdate but perhaps ipa-cacert-manage is a
> > > > better fit, e.g.:
> > > > 
> > > > ipa-cacert-manage track 
> > > > 
> > > > It would look up the necessary info (basically just the CA-ID) and
> > > > set up the certmonger tracking.
> > > 
> > > No. ipa-cacert-manage updates global configuration in LDAP, whereas
> > > ipa-certupdate applies the global configuration on the local system.
> > > Updating certmonger configuration is the latter, hence it should be done 
> > > in
> > > ipa-certupdate.
> > > 
> > > Also, I don't think we should expose (un)tracking certificates by CA ID to
> > > users, as all our CA certificates should always be tracked.
> > > 
> > OK, so ipa-certupdate just gets run without arguments on a CA
> > master, and it ensures that all CA certificates are tracked by
> > Certmonger.
> 
> Right.
> 
> > 
> > Makes s

Re: [Pki-devel] [PATCH] 768 Added pki pkcs12-cert-mod command.

[Fraser Tweedale]

On Mon, Jun 13, 2016 at 07:24:01PM -0500, Endi Sukma Dewata wrote:
> A new CLI has been added to update the certificate trust flags in
> PKCS #12 file which will be useful to import OpenSSL certificates.
> 
Tested; does what it says on the tin.
ACK.

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 772 Updated instructions to customize TPS token lifecycle.

[Fraser Tweedale]

On Wed, Jun 15, 2016 at 11:36:28AM -0500, Endi Sukma Dewata wrote:
> The TPS's CS.cfg and token-states.properties have been updated
> to include instructions to customize token state transitions and
> labels.
> 
> https://fedorahosted.org/pki/ticket/2300
> 
ACK

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 767 Fixed VLV usage in TPS token and activity services.

[Fraser Tweedale]

On Fri, Jun 10, 2016 at 10:29:51AM -0500, Endi Sukma Dewata wrote:
> The TPS token and activity services have been modified to use VLV
> only when the search filter matches the VLV, which is the default
> filter when there is no search keyword/attributes specified by
> the client. In other cases the services will use a normal search.
> 
> https://fedorahosted.org/pki/ticket/2342
> 
> -- 
> Endi S. Dewata
>
Code changes look good.  Might be nice to construct the
(Token|Activity)Collection objects inside the find* methods rather
than constructing it at call side and passing it in to be populated.
Just a nit, though.

Searching/filtering continues to work as expected.

ACK.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths

[Fraser Tweedale]

Updated patch attached; comments inline.

On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote:
> On 11/4/2015 11:22 PM, Fraser Tweedale wrote:
> >The attached patch fixes GET-based OCSP requests,
> >https://fedorahosted.org/pki/ticket/1658
> >
> >Cheers,
> >Fraser
> 
> Some comments:
> 
> 1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a
> security concern:
> 
> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
> 
> The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and
> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties
> allow non-standard parsing of the request URI. Using these options when
> behind a reverse proxy may enable an attacker to bypass any security
> constraints enforced by the proxy.
> 
> However, since we are not dependent on a proxy to protect PKI pages in
> Tomcat (we have our own ACL in PKI) I suppose this is not an issue, unless
> anybody else has a concern.
> 
I do not see a vulnerability - AFAICT the vulnerability was from
proxies enforcing path-based access control but parsed path
differently, which as you point out is not our situation.  Hopefully
we are not overlooking something.

> 2. I think the catalina.properties that needs to be modified is in
> base/server/share/conf. The others are duplicates that should've been
> removed.
> 
Patch updated.  I'll send another patch removing the obsolete
catalina.properties files soon.

> 3. During deployment the catalina.properties is copied into  dir>/conf. So if we want to fix existing instances we need to write an
> upgrade script.
> 
Added an upgrade script.

Thanks for reviewing!
Fraser
From e4cd7e5974e1be74ac4d360eb881e73b7d5142cc Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 5 Nov 2015 00:17:24 -0500
Subject: [PATCH] Allow encoded slashes in HTTP paths

Properly formed GET-based OCSP requests can contain URL-encoded
slashes in the HTTP path[1] but our Tomcat configuration does not
permit this (returns 400 Bad Request).  Change catalina.properties
to allow URL-encoded slashes in HTTP paths.

[1] https://tools.ietf.org/html/rfc6960#appendix-A.1

Also add an upgrade script to update catalina.properties in existing
instances.

Fixes: https://fedorahosted.org/pki/ticket/1658
---
 base/server/share/conf/catalina.properties  |  2 ++
 base/server/upgrade/10.3.0/01-AllowEncodedSlash | 37 +
 2 files changed, 39 insertions(+)
 create mode 100755 base/server/upgrade/10.3.0/01-AllowEncodedSlash

diff --git a/base/server/share/conf/catalina.properties 
b/base/server/share/conf/catalina.properties
index 
003089a4310455f68c067ccf669123e37a568fe3..2199a78d881da214130f05d186819a043b5e7ee2
 100644
--- a/base/server/share/conf/catalina.properties
+++ b/base/server/share/conf/catalina.properties
@@ -123,3 +123,5 @@ tomcat.util.buf.StringCache.byte.enabled=true
 #tomcat.util.buf.StringCache.char.enabled=true
 #tomcat.util.buf.StringCache.trainThreshold=50
 #tomcat.util.buf.StringCache.cacheSize=5000
+
+org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
diff --git a/base/server/upgrade/10.3.0/01-AllowEncodedSlash 
b/base/server/upgrade/10.3.0/01-AllowEncodedSlash
new file mode 100755
index 
..3225d3a7e754e629eb42b1612684695856720134
--- /dev/null
+++ b/base/server/upgrade/10.3.0/01-AllowEncodedSlash
@@ -0,0 +1,37 @@
+#!/usr/bin/python
+# Authors:
+# Fraser Tweedale <ftwee...@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+
+from __future__ import absolute_import
+import os.path
+import pki.server.upgrade
+
+class AllowEncodedSlash(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+def __init__(self):
+super(AllowEncodedSlash, self).__init__()
+self.message = 'Enable Tomcat ALLOW_ENCODED_SLASH parameter'
+
+def upgrade_instance(self, instance):
+path = os.path.join(instance.base_dir, 'conf', 'catalina.properties')
+if os.path.isfile(path):
+with open(path, 'a+') as f:
+data = f.read()
+if 'ALLOW_ENCODED_SLASH=' not in data:
+
f.write('\norg.apache

[Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails

[Fraser Tweedale]

The attached patch fixes https://fedorahosted.org/pki/ticket/2388.
Wanted for 10.3.4.

Thanks,
Fraser
From 3ad777d8009f025f1aac1159910dd0a4d327bd13 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sat, 25 Jun 2016 00:14:11 +0200
Subject: [PATCH] Respond 400 if lightweight CA cert issuance fails

If certificate issuance fails during lightweight CA creation (e.g.
due to a profile constraint violation such as Subject DN not
matching pattern) the API responds with status 500.

Raise BadRequestDataException if cert issuance fails in a way that
indicates bad or invalid CSR data, and catch it to respond with
status 400.

Fixes: https://fedorahosted.org/pki/ticket/2388
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java  | 18 +++---
 .../org/dogtagpki/server/ca/rest/AuthorityService.java |  3 ++-
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
e501380c8dd6d2d6fc400ad9f43677bfae7e258e..9f6445c56369f00cd857890fe63b577b6db81350
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -74,6 +74,7 @@ import org.mozilla.jss.pkix.primitive.Name;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authority.ICertAuthority;
+import com.netscape.certsrv.base.BadRequestDataException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.IConfigStore;
@@ -2680,8 +2681,16 @@ public class CertificateAuthority
 if (result != null && !result.equals(IRequest.RES_SUCCESS))
 throw new EBaseException("createSubCA: certificate request 
submission resulted in error: " + result);
 RequestStatus requestStatus = request.getRequestStatus();
-if (requestStatus != RequestStatus.COMPLETE)
-throw new EBaseException("createSubCA: certificate request did 
not complete; status: " + requestStatus);
+if (requestStatus != RequestStatus.COMPLETE) {
+// The request did not complete.  Inference: something
+// incorrect in the request (e.g. profile constraint
+// violated).
+String msg = "Failed to issue CA certificate. Final status: " 
+ requestStatus + ".";
+String errorMsg = request.getExtDataInString(IRequest.ERROR);
+if (errorMsg != null)
+msg += " Additional info: " + errorMsg;
+throw new BadRequestDataException(msg);
+}
 
 // Add certificate to nssdb
 cert = 
request.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
@@ -2697,7 +2706,10 @@ public class CertificateAuthority
 // log this error.
 CMS.debug("Error deleting new authority entry after failure 
during certificate generation: " + e2);
 }
-throw new ECAException("Error creating lightweight CA certificate: 
" + e);
+if (e instanceof BadRequestDataException)
+throw (BadRequestDataException) e;  // re-throw
+else
+throw new ECAException("Error creating lightweight CA 
certificate: " + e);
 }
 
 CertificateAuthority ca = new CertificateAuthority(
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 
5ecabacd9a84a4d06e529ca0099f561155f7d791..7bca10fa1dfbfe7dbae5b5c0288c4c59c1075cf9
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -38,6 +38,7 @@ import javax.ws.rs.core.UriInfo;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authority.AuthorityData;
 import com.netscape.certsrv.authority.AuthorityResource;
+import com.netscape.certsrv.base.BadRequestDataException;
 import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.EBaseException;
@@ -207,7 +208,7 @@ public class AuthorityService extends PKIService implements 
AuthorityResource {
 audit(ILogger.SUCCESS, OpDef.OP_ADD,
 subCA.getAuthorityID().toString(), auditParams);
 return createOKResponse(readAuthorityData(subCA));
-} catch (IllegalArgumentException e) {
+} catch (IllegalArgumentException | BadRequestDataException e) {
 throw new BadRequestException(e.toString());
 } catch (CANotFoundException e) {
 throw new ResourceNotFoundException(e.toString());
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com

Re: [Pki-devel] [Freeipa-devel] [DESIGN] Lightweight CA renewal

[Fraser Tweedale]

On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote:
> Hi,
> 
> On 6.5.2016 08:01, Fraser Tweedale wrote:
> > Hullo all,
> > 
> > FreeIPA Lightweight CAs implementation is progressing well.  The
> > remaining big unknown in the design is how to do renewal.  I have
> > put my ideas into the design page[1] and would appreciate any and
> > all feedback!
> > 
> > [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal
> > 
> > Some brief commentary on the options:
> > 
> > I intend to implement approach (1) as a baseline.  Apart from
> > implementing machinery in Dogtag to actually perform the renewal -
> > which is required for all the approaches - it's not much work and
> > gets us over the "lightweight CAs can be renewed easily" line, even
> > if it is a manual process.
> > 
> > For automatic renewal, I am leaning towards approach (2).  Dogtag
> > owns the lightweight CAs so I think it makes sense to give Dogtag
> > the ability to renew them automatically (if configured to do so),
> > without relying on external tools i.e. Certmonger.  But as you will
> > see from the outlines, each approach has its upside and downside.
> 
> I would prefer (3), as I would very much like to avoid duplicating
> certmonger's functionality in Dogtag.
> 
> Some comments on the disadvantages:
> 
>   * "Proliferation of Certmonger tracking requests; one for each
> FreeIPA-managed lightweight CA."
> 
> I don't think this is an actual issue, as it's purely cosmetic.
> 
>   * "Either lightweight CA creation is restricted to the renewal master, or
> the renewal master must observe the creation of new lightweight CAs and
> start tracking their certificate."
> 
> IMO this doesn't have to be done automatically in the initial
> implementation. You could extend ipa-certupdate to set up certmonger for
> lightweight CAs and have admins run it manually on masters after adding a
> new lightweight CA. They will have to run it anyway to get the new
> lightweight CA certificate installed in the system, so it should be fine to
> do it this way.
> 
I have updated the renew_ca_cert post-save script to perform the
database update necessary for CA replicas to pick up the new cert.
What remains is the command to tell certmonger to track the CA.

You mentioned ipa-certupdate but perhaps ipa-cacert-manage is a
better fit, e.g.:

ipa-cacert-manage track 

It would look up the necessary info (basically just the CA-ID) and
set up the certmonger tracking.

It could be an error to run the command on other than the renewal
master.

An untrack command could also be provided.

Thoughts?

>   * "Development of new Certmonger renewal helpers solely for lightweight CA
> renewal."
> 
> It would be easier to extend the existing helpers. I don't think there
> is anything preventing them from being used for lighweight CAs, except not
> conveying the CA name, which should be easy to implement.
> 
> 
> I would also avoid starting with (1), I don't believe it adds any real
> value. IMHO the first thing that should be done is implement lightweight CA
> support in certmonger (add new 'request' / 'start-tracking' option for CA
> name, store it in tracking requests, pass it to CA helpers in a new
> environment variable).
> 
> 
> Honza
> 
> -- 
> Jan Cholasta

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0065 Profile service: respond 409 on conflicting operations

[Fraser Tweedale]

On Thu, Feb 11, 2016 at 08:58:41PM -0600, Endi Sukma Dewata wrote:
> On 1/6/2016 11:22 PM, Fraser Tweedale wrote:
> >Please review attached patch which fixes:
> >https://bugzilla.redhat.com/show_bug.cgi?id=1257518
> >
> >Cheers,
> >Fraser
> 
> ACK.
> 
Thanks!  Pushed to master (27a38daf9840e4fd9bc031daf25024806d05e943)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 684 Refactored PKCS12CertInfo and PKCS12KeyInfo classes.

[Fraser Tweedale]

On Wed, Feb 17, 2016 at 01:02:26AM -0600, Endi Sukma Dewata wrote:
> On 2/16/2016 11:36 AM, Endi Sukma Dewata wrote:
> >The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out
> >of PKCS12Util into separate classes.
> >
> >The createLocalKeyID() has been modified to return BigInteger
> >instead of byte array.
> >
> >https://fedorahosted.org/pki/ticket/1742
> >
> >This depends on patch #682 and #683.
> 
> Rebased on top of #682-1 and #683-1.
> 
> -- 
> Endi S. Dewata
>
ACK

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCHES] Updated tomcatjss and pki-core to work with Tomcat 7.0.68 on F22

[Fraser Tweedale]

On Wed, Mar 16, 2016 at 06:51:11PM -0600, Matthew Harmsen wrote:
> Everyone,
> 
> Bodhi contains a proposed Fedora 22 update to Tomcat 7.0.68:
> 
>  * tomcat-7.0.68-3.fc22
>
> 
> This required changes to both tomcatjss (attached) and pki-core (attached).
> 
> These changes are specific to the Fedora 22 platform only; they have only
> been tested out via a Dogtag CA, not yet on FreeIPA, and require all of the
> following packages to be installed:
> 
I tested FreeIPA; installation failed without these changes,
succeded with them, so LGTM.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0083 Add CRL dist points extension to OIDMap unconditionally

[Fraser Tweedale]

Hello all,

The attached patch fixes https://fedorahosted.org/pki/ticket/2237.

Cheers,
Fraser
From 54d1a922789c500d5e2ae828105861227093 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 18 Mar 2016 10:53:18 +1100
Subject: [PATCH] Add CRL dist points extension to OIDMap unconditionally

It is possible to encounter a case where the
CRLDistributionPointsExtension static initialiser, which adds the
class to the OIDMap, has not been invoked.  This can cause a
ClassCastException, e.g. in CRLDistributionPointsExtDefault.

Update OIDMap to add CRLDistributionPointsExtension in its own
static initialiser.

Fixes: https://fedorahosted.org/pki/ticket/2237
---
 .../security/x509/CRLDistributionPointsExtension.java   |  8 
 base/util/src/netscape/security/x509/OIDMap.java| 17 +
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git 
a/base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java 
b/base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java
index 
d8dee03a7f3fcbc21c9392d55d577acbfaa907c8..1cfb770df60b26a7a849b8bc4bea70424e9416df
 100644
--- a/base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java
+++ b/base/util/src/netscape/security/x509/CRLDistributionPointsExtension.java
@@ -178,14 +178,6 @@ public class CRLDistributionPointsExtension extends 
Extension
 /
 public static final String NAME = "CRLDistributionPoints";
 
-static {
-try {
-OIDMap.addAttribute(CRLDistributionPointsExtension.class.getName(),
-OID, NAME);
-} catch (CertificateException e) {
-}
-}
-
 @Override
 public String toString() {
 return NAME;
diff --git a/base/util/src/netscape/security/x509/OIDMap.java 
b/base/util/src/netscape/security/x509/OIDMap.java
index 
4cebcf2c82f7cba3b773cc4911f1df749f9c1213..20765c934df16ee4fba2bad99c1d7abdfb910280
 100644
--- a/base/util/src/netscape/security/x509/OIDMap.java
+++ b/base/util/src/netscape/security/x509/OIDMap.java
@@ -99,6 +99,7 @@ public class OIDMap {
 static {
 loadNames();
 loadClasses();
+addClass(CRLDistributionPointsExtension.class);
 }
 
 // Load the default name to oid map (EXTENSIONS_OIDS)
@@ -228,6 +229,22 @@ public class OIDMap {
 }
 
 /**
+ * Add an extension to the OIDMap.
+ *
+ * Assumes existence of static OID and NAME fields with unique values.
+ */
+public static void addClass(Class clazz) {
+try {
+addAttribute(clazz.getName(),
+(String) clazz.getField("OID").get(null),
+(String) clazz.getField("NAME").get(null));
+} catch (Throwable e) {
+System.out.println(
+"Error adding class " + clazz.getName() + " to OIDMap: " + e);
+}
+}
+
+/**
  * Add a name to lookup table.
  *
  * @param className the name of the fully qualified class implementing
-- 
2.5.0

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0076 Avoid XML parse fail with double-hyphen in hostname

[Fraser Tweedale]

On Tue, Mar 15, 2016 at 12:24:58PM -0500, Endi Sukma Dewata wrote:
> On 3/2/2016 10:04 PM, Fraser Tweedale wrote:
> >On Thu, Mar 03, 2016 at 11:40:15AM +1000, Fraser Tweedale wrote:
> >>Attached patch fixes #1260: Installation fails due to double hyphen
> >>"--" in hostname.
> >>
> >>Cheers,
> >>Fraser
> >>
> >ACKed by Ade;
> >pushed to master (8beb5cfa4cd81fbf47ea8cd6839b793c2a12284e)
> >
> >Cheers,
> >Fraser
> 
> The patch changes "" into "" in new instances only.
> Suppose in the future we write a script that parses "" (e.g.
> to remove the section) it would not be able to find it in an upgraded
> instance. Ideally there should be an upgrade script to change ""
> into "" in existing instances too.
> 
This is a fair point; I've filed a ticket:
https://fedorahosted.org/pki/ticket/2234

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0082 Allow multiple ACLs of same name (union of rules)

[Fraser Tweedale]

The attached patch makes a change to how ACLs are loaded from
database, to allow a single ACL to be specified across several
values.

Thanks,
Fraser
From 1fd4824d8b46d995286e5bad689e903e5e954831 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 15 Mar 2016 18:22:02 +1100
Subject: [PATCH] Allow multiple ACLs of same name (union of rules)

Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.

If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rules to the
existing ACL.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 .../cms/src/com/netscape/cms/authorization/AAclAuthz.java  | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java 
b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
index 
089cca9bea9f7cfcdac65f6023060109eb6b8d10..400649cd53ca5801af6af216f8145d265c5d52f4
 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -160,7 +160,15 @@ public abstract class AAclAuthz {
 ACL acl = (ACL) CMS.parseACL(resACLs);
 
 if (acl != null) {
-mACLs.put(acl.getName(), acl);
+ACL curACL = mACLs.get(acl.getName());
+if (curACL == null) {
+mACLs.put(acl.getName(), acl);
+} else {
+Enumeration entries = acl.entries();
+while (entries.hasMoreElements()) {
+curACL.addEntry(entries.nextElement());
+}
+}
 } else {
 log(ILogger.LL_FAILURE, "parseACL failed");
 }
-- 
2.5.0

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

[Fraser Tweedale]

Hi all,

The attached patches implement replication support for lightweight
CAs.  These patches do not implement key replication via Custodia
(my next task) but they do implement the persistent search thread
and appropriate** API behaviour when the signing keys are not yet
available.

** In most cases, we respond 503 Service Unavailable; this is open
   for discussion.  ca-authority-find and ca-authority-show include
   a boolean field indicating whether the CA is ready to sign.
   There might be (probably are) endpoints I've missed.

Cheers,
Fraser
From fae1f14095cba4a9a14486230f9b0d353dcf7513 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 9 Mar 2016 02:18:41 -0500
Subject: [PATCH 84/86] Lightweight CAs: monitor database for changes

Implement a thread that performs an LDAP persistent search to keep a
running CA's view of lightweight CAs in sync with the database.

Signing key replication is not yet supported; this will be
implemented in a later patch and will not use the database to
propagate keys.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 .../src/com/netscape/ca/CertificateAuthority.java  | 689 ++---
 base/ca/src/com/netscape/ca/SigningUnit.java   |   3 +-
 .../netscape/certsrv/ca/CAMissingKeyException.java |  15 +
 3 files changed, 486 insertions(+), 221 deletions(-)
 create mode 100644 
base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
63c7ca4e4a8083dc58b54196af89cc7629e9fd97..d8177e1708dca15ae97c5c01534215a64dbe34d0
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -43,7 +43,9 @@ import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.TreeMap;
+import java.util.TreeSet;
 import java.util.Vector;
+import java.util.concurrent.CountDownLatch;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -51,11 +53,18 @@ import javax.servlet.http.HttpSession;
 import netscape.ldap.LDAPAttribute;
 import netscape.ldap.LDAPAttributeSet;
 import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPConstraints;
+import netscape.ldap.LDAPControl;
 import netscape.ldap.LDAPEntry;
 import netscape.ldap.LDAPException;
 import netscape.ldap.LDAPModification;
 import netscape.ldap.LDAPModificationSet;
+import netscape.ldap.LDAPSearchConstraints;
 import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.controls.LDAPEntryChangeControl;
+import netscape.ldap.controls.LDAPPersistSearchControl;
+import netscape.ldap.util.DN;
+
 import netscape.security.pkcs.PKCS10;
 import netscape.security.util.DerOutputStream;
 import netscape.security.util.DerValue;
@@ -101,6 +110,7 @@ import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
 import com.netscape.certsrv.ca.CAEnabledException;
+import com.netscape.certsrv.ca.CAMissingKeyException;
 import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.CANotLeafException;
 import com.netscape.certsrv.ca.CATypeException;
@@ -150,6 +160,8 @@ import com.netscape.cmscore.request.RequestSubsystem;
 import com.netscape.cmscore.security.KeyCertUtil;
 import com.netscape.cmscore.util.Debug;
 import com.netscape.cmsutil.crypto.CryptoUtil;
+import com.netscape.cmsutil.ldap.LDAPPostReadControl;
+import com.netscape.cmsutil.ldap.LDAPUtil;
 import com.netscape.cmsutil.ocsp.BasicOCSPResponse;
 import com.netscape.cmsutil.ocsp.CertID;
 import com.netscape.cmsutil.ocsp.CertStatus;
@@ -176,11 +188,13 @@ import com.netscape.cmsutil.ocsp.UnknownInfo;
  * @author lhsiao
  * @version $Revision$, $Date$
  */
-public class CertificateAuthority implements ICertificateAuthority, 
ICertAuthority, IOCSPService {
+public class CertificateAuthority
+implements ICertificateAuthority, ICertAuthority, IOCSPService, 
Runnable {
 public static final String OFFICIAL_NAME = "Certificate Manager";
 
 public final static OBJECT_IDENTIFIER OCSP_NONCE = new 
OBJECT_IDENTIFIER("1.3.6.1.5.5.7.48.1.2");
 
+private static ILdapConnFactory dbFactory = null;
 private static final Map<AuthorityID, ICertificateAuthority> caMap =
 Collections.synchronizedSortedMap(new TreeMap<AuthorityID, 
ICertificateAuthority>());
 protected CertificateAuthority hostCA = null;
@@ -188,6 +202,7 @@ public class CertificateAuthority implements 
ICertificateAuthority, ICertAuthori
 protected AuthorityID authorityParentID = null;
 protected String authorityDescription = null;
 protected boolean authorityEnabled = true;
+private boolean hasKeys = false;
 
 protected ISubsystem mOwner = null;
 protected IConfigStore mConfig = null;
@@ -283,6 +298,19 @@ public

Re: [Pki-devel] [PATCH] 0077..0081 assorted code deletions

[Fraser Tweedale]

On Mon, Mar 21, 2016 at 10:16:43PM -0500, Endi Sukma Dewata wrote:
> On 3/13/2016 7:25 PM, Fraser Tweedale wrote:
> >Hi all,
> >
> >Attached patches implement various drive-by or long-threatened code
> >deletions.
> >
> >0077
> >   Remove unuesd imports cause by me in a recent patch
> >0078
> >   Remove unused vars/fields from ProfileService/ProfileSubsystem
> >0079
> >   Remove RAEnrollProfile class.  Background:
> >   https://www.redhat.com/archives/pki-devel/2015-June/msg00038.html
> >0080
> >   Drive-by removal of some commented-out code
> >0081
> >   Delete some unused methods
> >
> >Thanks,
> >Fraser
> 
> ACK to all of the above.
> 
Thanks Endi; pushed to master:

feaa0b8f2c277f7633ba4f46cdeb124004cb1ba3 Remove unused 'toMIME64' methods
364013d6d06a701a02b3218d96e09b4851253c67 Remove commented-out code
d6fddf0540af1bcdede4304a0cc7ccfae8f70dd4 Remove unused class 'RAEnrollProfile'
8094b9598a4fb5d2e955a36484d9578c57d7f0e6 Remove unused variables from profile 
classes
f699daab078f4e327aa065ae6c26be86f9211445 Remove unused imports from OCSP 
authority classes

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0082 Allow multiple ACLs of same name (union of rules)

[Fraser Tweedale]

On Mon, Mar 21, 2016 at 10:39:08PM -0500, Endi Sukma Dewata wrote:
> On 3/15/2016 8:14 PM, Fraser Tweedale wrote:
> >The attached patch makes a change to how ACLs are loaded from
> >database, to allow a single ACL to be specified across several
> >values.
> >
> >Thanks,
> >Fraser
> 
> Should the ACL.rights be merged as well?
> 
Yes, it should; nice catch.  Updated patch attached.

Thanks,
Fraser
From 5dcda9815d57a45c1f2d6327eb45dd8a9ac45f74 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 15 Mar 2016 18:22:02 +1100
Subject: [PATCH] Allow multiple ACLs of same name (union of rules)

Several lightweight CA ACLs share the 'certServer.ca.authorities'
name, but when loading ACLs each load overwrites the previous.

If multiple resourceACLS values have the same name, instead of
replacing the existing ACL with the new one, add the rights and
rules to the existing ACL.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 base/common/src/com/netscape/certsrv/acls/ACL.java| 15 +--
 .../cms/src/com/netscape/cms/authorization/AAclAuthz.java | 14 +-
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java 
b/base/common/src/com/netscape/certsrv/acls/ACL.java
index 
292be4cddc1c864e2cff8494f047295cd142b40f..86720810ccbd5275aa905d9c5d3e3f00f5fb6444
 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACL.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java
@@ -17,7 +17,10 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.certsrv.acls;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Enumeration;
+import java.util.TreeSet;
 import java.util.Vector;
 
 /**
@@ -40,7 +43,7 @@ public class ACL implements IACL, java.io.Serializable {
 private static final long serialVersionUID = -1867465948611161868L;
 
 protected Vector entries = new Vector(); // ACL entries
-protected Vector rights = null; // possible rights entries
+protected TreeSet rights = null; // possible rights entries
 protected String resourceACLs = null; // exact resourceACLs string on ldap 
server
 protected String name = null; // resource name
 protected String description = null; // resource description
@@ -65,12 +68,12 @@ public class ACL implements IACL, java.io.Serializable {
  *Allow administrators to read and modify log
  *configuration"
  */
-public ACL(String name, Vector rights, String resourceACLs) {
+public ACL(String name, Collection rights, String resourceACLs) {
 setName(name);
 if (rights != null) {
-this.rights = rights;
+this.rights = new TreeSet<>(rights);
 } else {
-this.rights = new Vector();
+this.rights = new TreeSet<>();
 }
 this.resourceACLs = resourceACLs;
 
@@ -170,7 +173,7 @@ public class ACL implements IACL, java.io.Serializable {
  * @param right The right to be added for this ACL
  */
 public void addRight(String right) {
-rights.addElement(right);
+rights.add(right);
 }
 
 /**
@@ -189,6 +192,6 @@ public class ACL implements IACL, java.io.Serializable {
  * @return enumeration of rights defined for this ACL
  */
 public Enumeration rights() {
-return rights.elements();
+return Collections.enumeration(rights);
 }
 }
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java 
b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
index 
089cca9bea9f7cfcdac65f6023060109eb6b8d10..b3e447cfca49951fe78f6b4896652921ffc43406
 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -160,7 +160,19 @@ public abstract class AAclAuthz {
 ACL acl = (ACL) CMS.parseACL(resACLs);
 
 if (acl != null) {
-mACLs.put(acl.getName(), acl);
+ACL curACL = mACLs.get(acl.getName());
+if (curACL == null) {
+mACLs.put(acl.getName(), acl);
+} else {
+for (Enumeration entries = acl.entries() ;
+entries.hasMoreElements() ; ) {
+curACL.addEntry(entries.nextElement());
+}
+for (Enumeration rights = acl.rights() ;
+rights.hasMoreElements() ; ) {
+curACL.addRight(rights.nextElement());
+}
+}
 } else {
 log(ILogger.LL_FAILURE, "parseACL failed");
 }
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0082 Allow multiple ACLs of same name (union of rules)

[Fraser Tweedale]

On Wed, Mar 23, 2016 at 12:55:24AM -0500, Endi Sukma Dewata wrote:
> On 3/22/2016 12:52 AM, Fraser Tweedale wrote:
> >>On 3/15/2016 8:14 PM, Fraser Tweedale wrote:
> >>>The attached patch makes a change to how ACLs are loaded from
> >>>database, to allow a single ACL to be specified across several
> 
> >>Should the ACL.rights be merged as well?
> 
> >Yes, it should; nice catch.  Updated patch attached.
> 
> ACK.
> 
Thanks; pushed to master (5dcda9815d57a45c1f2d6327eb45dd8a9ac45f74)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Lightweight CAs key replication design

[Fraser Tweedale]

Hi team,

Lightweight CA key replication is taking shape.  I have updated the
design page with juicy details:

http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs#Key_replication

Could interested parties and Simo please eyeball it.  Simo, I
particularly want your feedback on feasibility / implications of
creating a Kerberos principal for each CA replica which will be
authorised as a Custodia client to retrieve sub-CA signing keys.
Alternatively, instead of adding another principal could we use the
existing HTTP/@ principal as the Custodia client?

I entertained implementing TLS certificate authentication for
Custodia so that we could authenticate using e.g. CA subsystem cert
but felt that GSS-API would be a smoother path, becaues we already
have Python client code for IPA.

The implementation is in-progress; most of the core Java bits are
done, but not yet the IPA-specific KeyRetriever implementation nor
the Python helper program.

Cheers,
Fraser

P.S. I made a number of other updates to the design page - mostly
updates to bring it in line with what's already been implemented.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

[Fraser Tweedale]

On Thu, Apr 14, 2016 at 09:04:31AM +1000, Fraser Tweedale wrote:
> On Wed, Apr 13, 2016 at 05:26:44PM -0400, Ade Lee wrote:
> > Still reviewing ..
> > 
> > See comment on 87.  ACK on 88,89,90,91,92,93, 94, 95.
> > 
> > Ade
> > 
> > On Mon, 2016-04-11 at 12:32 +1000, Fraser Tweedale wrote:
> > > Thanks for review, Ade.  Comments to specific feedback inline.
> > > Rebased and updated patches attached.  The substantive changes are:
> > > 
> > > - KeyRetriever implementations are now required NOT to import the
> > >   key themselves.  Instead the API is updated with
> > >   KeyRetriever.retrieveKey returning a Result, which contains PKCS
> > >   #12 data and password for same.
> > > 
> > > - KeyRetrieverRunner reads the Result and imports the PKCS #12 into
> > >   NSSDB.
> > > 
> > > - Added new patch 0097 which provides the IPACustodiaKeyRetriever
> > >   and assoicated Python helper script.  It depends on an unmerged
> > >   FreeIPA patch[1] as well as a particular principal and associated
> > >   keytab and Custodia keys existing.  I'm working on FreeIPA updates
> > >   to satisfy these requirements automatically on install or upgrade
> > >   but if you want to test this patch LMK and I'll provide detailed
> > >   instructions.
> > > 
> > >   [1] https://www.redhat.com/archives/freeipa-devel/2016-April/msg000
> > > 55.html
> > > 
> > > Other comments inline.
> > > 
> > > Cheers,
> > > Fraser
> > > 
> > > On Fri, Apr 08, 2016 at 11:16:19AM -0400, Ade Lee wrote:
> > > > 
> > > > 0087
> > > > 
> > > > 1. In SigningUnit.java -- you catch an ObjectNotFound exception and
> > > > rethrow that as a CAMissingKey exception.  Is that the only way the
> > > > ObjectNotFound exception can be thrown?  What if the key is present
> > > > but
> > > > the cert is not?  Can we refactor here to ensure that the correct
> > > > exception is thrown?
> > > > 
> > > One can't get additional info out of ObjectNotFound without
> > > inspecting the String message, which I'm not comfortable doing.  The
> > > key retrieval system should import key and cert at same time so I've
> > > renamed the exception to CAMissingKeyOrCert for clarity.
> > > 
> > 
> > Well, you can always nest exceptions like so :
> > 
> > mToken.login(cb); // ONE_TIME by default.
> > 
> > try {
> > mCert = mManager.findCertByNickname(mNickname);
> > CMS.debug("Found cert by nickname: '" + mNickname + "' with 
> > serial number: " + mCert.getSerialNumber());
> > 
> > mCertImpl = new X509CertImpl(mCert.getEncoded());
> > CMS.debug("converted to x509CertImpl");
> > } catch (ObjectNotFoundException e) {
> > throw new CAMissingCertException();
> > }
> > 
> > try {
> > mPrivk = mManager.findPrivKeyByCert(mCert);
> > CMS.debug("Got private key from cert");
> > } catch (ObjectNotFoundException e) {
> >throw new CAMissingKeyException();
> > }
> > 
> > 
> > The only reason that I suggest this is that I could imagine this kind
> > of differentiation being useful in debugging failed custodia
> > replications.  If you think otherwise, I'm prepare to be convinced
> > otherwise.
> > 
> I think a scenario where we get key but not cert, or vice versa, is
> unlikely (Custodia gives us a PKCS #12 file with both).  However,
> your suggestion should work and it is a relatively small change.
> I'll cut a new patchset with this change today, along with the
> rebase.
> 
Updated and rebased patches attached.

The suggested changes were made to 0087.  This also resulted in
changes to patch 0094 (indicate when CA does not yet have keys).

No substantive changes to any other patches.

Cheers,
Fraser
From 6d72a9c7fc067df42a3259fc5ea87b65e94f76ad Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 31 Mar 2016 12:46:03 +1100
Subject: [PATCH 87/96] Lightweight CAs: add exceptions for missing signing key
 or cert

Add the CAMissingCertException and CAMissingKeyException classes and
throw when signing unit initialisation fails due to a missing
object.  In CertificateAuthority, store the exception if it occurs
for possible re-throwing later.  Also add the private '

[Pki-devel] [PATCH] 0100 Fix NSSDB certificate search method

[Fraser Tweedale]

Hi all,

Please review the attached patch, which fixes
https://fedorahosted.org/pki/ticket/2301.

Cheers,
Fraser
From f912026913a93e40d1e06ba93f873b621feffbc6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 27 Apr 2016 13:35:41 +1000
Subject: [PATCH] Fix NSSDB certificate search method

'getX509CertFromToken' erroneously compares Issuer DN of given cert
with Subject DNs of cert in NSSDB.  It falsely returns the parent of
the target cert, if the certs have the same serial number.

In the context of how this method is used, it causes the deletion of
an external CA certificate from the NSSDB if the serial numbers
match, and subsequent certificate verification failure when
connecting to LDAP.

Update the method to check the Issuer DN.

Fixes: https://fedorahosted.org/pki/ticket/2301
---
 .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java| 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git 
a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java 
b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 
8c353f0c7af47772af7fe3aab371fdf1ec0a6f29..c0f0ce1f405dd63232f1be6c15f8bd8d1a8d3c4b
 100644
--- 
a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ 
b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -1168,7 +1168,7 @@ public class ConfigurationUtils {
 CryptoManager cm = CryptoManager.getInstance();
 X509Certificate[] permcerts = cm.getPermCerts();
 for (int i = 0; i < permcerts.length; i++) {
-String issuer_p = permcerts[i].getSubjectDN().toString();
+String issuer_p = permcerts[i].getIssuerDN().toString();
 BigInteger serial_p = permcerts[i].getSerialNumber();
 if (issuer_p.equals(issuer_impl) && 
serial_p.compareTo(serial_impl) == 0) {
 return permcerts[i];
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

[Fraser Tweedale]

On Fri, Apr 22, 2016 at 07:50:06PM -0400, John Magne wrote:
> I took a look at the stuff alee asked for.
> 
> CFU even took a quick look when I asked her a couple of questions.
> She was unsure of something (as was I) and she would like to be able
> to take a closer look next week. I will give my quick thoughts.
> 
> 1. I agree that HSM support is not in the patch, seems fine to move that
> to a future ticket.
> 
Thanks.  I filed ticket: https://fedorahosted.org/pki/ticket/2292

> Here is one thing I was kind of worried about:
> This is the code that imports the archive of the desired private key.
> 
> 
> ublic static PrivateKey importPKIArchiveOptions(
> +CryptoToken token, PrivateKey unwrappingKey,
> +PublicKey pubkey, byte[] data)
> +throws InvalidBERException, Exception {
> +ByteArrayInputStream in = new ByteArrayInputStream(data);
> +PKIArchiveOptions options = (PKIArchiveOptions)
> +(new PKIArchiveOptions.Template()).decode(in);
> +EncryptedKey encKey = options.getEncryptedKey();
> +EncryptedValue encVal = encKey.getEncryptedValue();
> +AlgorithmIdentifier algId = encVal.getSymmAlg();
> +BIT_STRING encSymKey = encVal.getEncSymmKey();
> +BIT_STRING encPrivKey = encVal.getEncValue();
> 
> This the wrapper object that is build off of the caSigningUnit key gotten
> in the other patch, the RetrieverThread like this:
> 
> 
> 
>  PrivateKey unwrappingKey = hostCA.mSigningUnit.getPrivateKey();
> 
> 
> 
> The code below works fine if said key is RSA. I talked over with CFU and she 
> said there
> could be a chance this key is ECC for an ECC CA.
> 
> We both think the rest of the code in this routine is fine, except for 
> possibly that.
> She is also not even sure if JSS can support an ECC private key wrapper.
> 
Yes, it is currently not supported in JSS (I'm unsure if NSS
supports it).  However, because the first release of Lightweight CAs
is to support FreeIPA sub-CAs feature, and FreeIPA does not yet
support EC CA, I don't think it's a show-stopper.  I filed a ticket
for key replication with non-RSA CA:

https://fedorahosted.org/pki/ticket/2291

> She requests you guys give her a day or two to look at it.
> 
No problem.  Thank you (and Christina) for the review.

Cheers,
Fraser

> Except for the hsm issue, the code that calls this routine in the thread 
> seems fine too.
> 
> +
> +KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
> +wrapper.initUnwrap(unwrappingKey, null);
> 
> 
> 
> 
> 
> 
> +SymmetricKey sk = wrapper.unwrapSymmetric(
> +encSymKey.getBits(), SymmetricKey.Type.DES3, 0);
> +
> +ASN1Value v = algId.getParameters();
> +v = ((ANY) v).decodeWith(new OCTET_STRING.Template());
> +byte iv[] = ((OCTET_STRING) v).toByteArray();
> +IVParameterSpec ivps = new IVParameterSpec(iv);
> +
> +wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
> +wrapper.initUnwrap(sk, ivps);
> +PrivateKey.Type keyType = pubkey.getAlgorithm().equals("EC")
> +    ? PrivateKey.Type.EC
> +: PrivateKey.Type.RSA;
> +return wrapper.unwrapPrivate(encPrivKey.getBits(), keyType, pubkey);
> +}
> 
> 
> - Original Message -
> > From: "Fraser Tweedale" <ftwee...@redhat.com>
> > To: "Ade Lee" <a...@redhat.com>
> > Cc: pki-devel@redhat.com
> > Sent: Wednesday, April 20, 2016 9:58:54 PM
> > Subject: Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication  
> > support
> > 
> > Thanks Ade.  Updated patch 0096 attached.  Comments inline.
> > 
> > On Wed, Apr 20, 2016 at 11:30:52AM -0400, Ade Lee wrote:
> > > Comments:
> > > 
> > > 95 - ack
> > > 
> > > 96 -
> > > 
> > > 1. You have made the return type of initSigUnit() to be boolean.
> > >  Should you be checking the return value in init()?
> > > 
> > It is not needed to check it here; only when re-entering init from
> > the KeyReplicatorRunner thread.
> > 
> > > 2. In addInstanceToAuthorityKeyHosts(), you are still using only the
> > > hostname.  Should be host:port
> > > 
> > Good pickup.  Fixed in latest patch.
> > 
> > > 3. The logic in the KeyRetrieverRunner class looks OK to me, but I'd
> > > like cfu and/or jmagne to check it and make sure we are calling the
> > > right primitives to wrap/unwrap inside the cryptographic token.
> > > 
> > > Also I'd like them to confirm that this would wor for an HSM.
> >

Re: [Pki-devel] [PATCH] 0101 Lightweight CAs: accept "host-authority" as valid parent

[Fraser Tweedale]

On Fri, May 06, 2016 at 09:31:07PM -0500, Endi Sukma Dewata wrote:
> On 5/5/2016 1:54 AM, Fraser Tweedale wrote:
> >The attached patch allows "host-authority" to be used as valid
> >reference to the host authority when creating a LWCA.  It makes life
> >easier for me one the FreeIPA side :)
> >
> >Cheers,
> >Fraser
> 
> ACK. Just one thing, could you chain the original exception to
> BadRequestException?
> 
Thanks; made the change and pushed to master
(bdd9ceca09d570f9ac976bed6bc980e6527d92b5)

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0104 Lightweight CAs: fix bad import in key retriever script

[Fraser Tweedale]

Attached patch fixes a typo in the LWCA key retrieval Python helper
script.

Pushed to master (e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f) under
one-liner rule.

Cheers,
Fraser
From e75be5dcbce6aecf08ea7ff0b027222d0b6bbd4f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 3 May 2016 16:24:16 +1000
Subject: [PATCH] Lightweight CAs: fix bad import in key retriever script

Part of: https://fedorahosted.org/pki/ticket/1625
---
 base/server/libexec/pki-ipa-retrieve-key | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/server/libexec/pki-ipa-retrieve-key 
b/base/server/libexec/pki-ipa-retrieve-key
index 
8098e534e54670c3a5d8776fe934f1f13037b373..301f818b859577ef1a861bc7a855b6103a6f3af8
 100755
--- a/base/server/libexec/pki-ipa-retrieve-key
+++ b/base/server/libexec/pki-ipa-retrieve-key
@@ -9,7 +9,7 @@ import sys
 
 from jwcrypto.common import json_decode
 
-from ipalib.constants import constants
+from ipalib import constants
 from ipaplatform.paths import paths
 from ipapython.secrets.client import CustodiaClient
 
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid

[Fraser Tweedale]

The attached patch fixes https://fedorahosted.org/pki/ticket/2317.
It will result in better error messages and help users to diagnose
bad profile configurations (especially with IPA).

Thanks,
Fraser
From ff7ff61c6cc97f695f3db2058bf3639014278299 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 9 May 2016 12:57:32 +1000
Subject: [PATCH] Reject cert request if resultant subject DN is invalid

An unparseable subject DN is ignored, causing NPE in subsequent
processing becaues the subject DN was not set.  Throw
ERejectException if the subject DN is invalid, to ensure that a
useful response can be returned to the requestor.

Fixes: https://fedorahosted.org/pki/ticket/2317
---
 .../com/netscape/certsrv/profile/ERejectException.java   |  8 
 .../com/netscape/cms/profile/def/SubjectNameDefault.java | 16 ++--
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/profile/ERejectException.java 
b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
index 
cceeb12ab8354b05dec0d0212d7a0f04de9e6184..1ada1c4ebca50ed79a443e2e47b3251a7303ff37
 100644
--- a/base/common/src/com/netscape/certsrv/profile/ERejectException.java
+++ b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
@@ -43,4 +43,12 @@ public class ERejectException extends EProfileException {
 public ERejectException(String msg) {
 super(msg);
 }
+
+public ERejectException(String msg, Throwable cause) {
+super(msg, cause);
+}
+
+public ERejectException(Throwable cause) {
+super(cause.getMessage(), cause);
+}
 }
diff --git 
a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java 
b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
index 
31aee6dd6d9299438fb62493f61879f9a01dd9ed..629f4bcc10869518ff890a96fa6657565df00abe
 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
@@ -27,6 +27,7 @@ import netscape.security.x509.X509CertInfo;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
 import com.netscape.certsrv.profile.IProfile;
 import com.netscape.certsrv.property.Descriptor;
 import com.netscape.certsrv.property.EPropertyException;
@@ -166,19 +167,14 @@ public class SubjectNameDefault extends EnrollDefault {
 return;
 try {
 name = new X500Name(subjectName);
-} catch (IOException e) {
-// failed to build x500 name
-CMS.debug("SubjectNameDefault: populate " + e.toString());
-}
-if (name == null) {
-// failed to build x500 name
-}
-try {
 info.set(X509CertInfo.SUBJECT,
 new CertificateSubjectName(name));
 } catch (Exception e) {
-// failed to insert subject name
-CMS.debug("SubjectNameDefault: populate " + e.toString());
+CMS.debug("SubjectNameDefault: failed to populate: " + e);
+throw new ERejectException(CMS.getUserMessage(
+getLocale(request),
+"CMS_PROFILE_INVALID_SUBJECT_NAME",
+subjectName), e);
 }
 }
 }
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

[Fraser Tweedale]

Hi all,

The following patch adds a pki-server subcommand for updating
certificate records to add the issuerName attribute.

It is for #1667 (Database upgrade script to add issuerName attribute
to all cert entries).

Follow-up question: should I (and if so, how should I) also add an
upgrade scriptlet to perform the upgrade for Dogtag CA subsystem on
the host?  Is there a precedent for invoking pki-server (or
subroutines thereof) from pki-server-upgrade scriptlets?

Cheers,
Fraser
From 9d994fe2c4e31c3d4212673f1dd3a0c8e84c40a3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 9 May 2016 17:00:54 +1000
Subject: [PATCH] Add pki-server ca-cert-db-upgrade command

Add the 'ca-cert-db-upgrade' command to 'pki-server', which updates
certificate records to add the issuerName attribute where missing.

Part of: https://fedorahosted.org/pki/ticket/1667
---
 base/server/python/pki/server/cli/ca.py | 81 +
 1 file changed, 81 insertions(+)

diff --git a/base/server/python/pki/server/cli/ca.py 
b/base/server/python/pki/server/cli/ca.py
index 
dbf8239f4f548714beb0c68d7bca2c84f6c0fb74..b76a8f8834cc0c7d802b38b83d3a8ce99fbb0d84
 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -22,6 +22,8 @@ from __future__ import absolute_import
 from __future__ import print_function
 import getopt
 import io
+import ldap
+import nss.nss as nss
 import os
 import shutil
 import sys
@@ -48,6 +50,7 @@ class CACertCLI(pki.cli.CLI):
 
 self.add_module(CACertChainCLI())
 self.add_module(CACertRequestCLI())
+self.add_module(CACertDBUpgrade())
 
 
 class CACertChainCLI(pki.cli.CLI):
@@ -407,3 +410,81 @@ class CAClonePrepareCLI(pki.cli.CLI):
 
 finally:
 shutil.rmtree(tmpdir)
+
+
+class CACertDBUpgrade(pki.cli.CLI):
+def __init__(self):
+super(CACertDBUpgrade, self).__init__(
+'db-upgrade', 'Upgrade certificate records')
+
+def usage(self):
+print('Usage: pki-server ca-cert-db-upgrade [OPTIONS]')
+print()
+print('  -i, --instanceInstance ID (default: 
pki-tomcat).')
+print('  -v, --verbose  Run in verbose mode.')
+print('  --help Show help message.')
+print()
+
+def execute(self, args):
+try:
+opts, _ = getopt.gnu_getopt(
+args, 'i:v', ['instance=', 'verbose', 'help'])
+
+except getopt.GetoptError as e:
+print('ERROR: ' + str(e))
+self.usage()
+sys.exit(1)
+
+instance_name = 'pki-tomcat'
+
+for o, a in opts:
+if o in ('-i', '--instance'):
+instance_name = a
+
+elif o in ('-v', '--verbose'):
+self.set_verbose(True)
+
+elif o == '--help':
+self.print_help()
+sys.exit()
+
+else:
+print('ERROR: unknown option ' + o)
+self.usage()
+sys.exit(1)
+
+nss.nss_init_nodb()
+
+instance = pki.server.PKIInstance(instance_name)
+instance.load()
+
+subsystem = instance.get_subsystem('ca')
+base_dn = subsystem.config['internaldb.basedn']
+conn = subsystem.open_database()
+try:
+entries = conn.ldap.search_s(
+'ou=certificateRepository,ou=ca,%s' % base_dn,
+ldap.SCOPE_ONELEVEL,
+'(&(objectclass=certificateRecord)(!(issuerName=*)))',
+None)
+for entry in entries:
+self.__add_issuer(conn, entry)
+finally:
+conn.close()
+
+@staticmethod
+def __add_issuer(conn, entry):
+dn, attrs = entry
+attr_cert = attrs.get('userCertificate;binary')
+if not attr_cert:
+return  # shouldn't happen, but nothing we can do if it does
+
+cert = nss.Certificate(bytearray(attr_cert[0]))
+issuer_name = str(cert.issuer)
+
+try:
+conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)])
+except ldap.LDAPError as e:
+print(
+'Failed to add issuerName to certificate {}: {}'
+.format(attrs.get('cn', [''])[0], e))
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

[Fraser Tweedale]

On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote:
> Isn't all this predicated on a schema change that adds the issuer as an
> optional field for the certRecord?
> 
The schema already exists but was unused.

> Ade
> 
> On Mon, 2016-05-09 at 17:15 +1000, Fraser Tweedale wrote:
> > Hi all,
> > 
> > The following patch adds a pki-server subcommand for updating
> > certificate records to add the issuerName attribute.
> > 
> > It is for #1667 (Database upgrade script to add issuerName attribute
> > to all cert entries).
> > 
> > Follow-up question: should I (and if so, how should I) also add an
> > upgrade scriptlet to perform the upgrade for Dogtag CA subsystem on
> > the host?  Is there a precedent for invoking pki-server (or
> > subroutines thereof) from pki-server-upgrade scriptlets?
> > 
> > Cheers,
> > Fraser
> > ___
> > Pki-devel mailing list
> > Pki-devel@redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0106..0107 Add issuer DN to cert search params/result

[Fraser Tweedale]

On Tue, May 10, 2016 at 01:29:17PM -0400, Ade Lee wrote:
> ACK.
> 
Thanks Ade; pushed to master:

502db07ee8ef3e9f6b4bc2b030b29e8db639bc69 Include issuer DN in CertDataInfo
70d751e837cbf375ebd068169e591cd4a971f472 Support certificate search by issuer 
DN.

> Is the new search parameter added to the CLI (either python or Java?)
> or displayed in cert info results from the CLI?
> 
> How are these changes tested?
> 
I've enhanced `ipa cert-find' to use the new search param and
display the IssuerDN in the result.

I've filed #2324 for the Dogtag CLI part; targeting 10.3.2 but if
you feel it should be brought forward let's discuss.

https://fedorahosted.org/pki/ticket/2324

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0112 Return 410 Gone if target CA of request has been deleted

[Fraser Tweedale]

Hi all,
attached patch fixes https://fedorahosted.org/pki/ticket/2332

Cheers,
Fraser
From baf904216848a5d775948853764d2657ea6405e9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 17 May 2016 14:47:11 +1000
Subject: [PATCH] Return 410 Gone if target CA of request has been deleted

When processing a request whose target CA has been deleted in
between request submission and request approval, the server does not
handle the CANotFoundException, resulting in response status 500.

Catch the CANotFoundException and respond with status 410 Gone.

Fixes: https://fedorahosted.org/pki/ticket/2332
---
 base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
index 
80aaf6f7899d92675c15c6f944b7a3a491784145..d154e8eec31c3c74883e606d95eaa2094f36ff2f
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
@@ -41,6 +41,7 @@ import com.netscape.certsrv.base.BadRequestDataException;
 import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.HTTPGoneException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.base.ServiceUnavailableException;
@@ -49,6 +50,7 @@ import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
 import com.netscape.certsrv.ca.CAMissingCertException;
 import com.netscape.certsrv.ca.CAMissingKeyException;
+import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
 import com.netscape.certsrv.cert.CertRequestInfo;
@@ -252,6 +254,11 @@ public class CertRequestService extends PKIService 
implements CertRequestResourc
 } catch (BadRequestDataException e) {
 CMS.debug("changeRequestState: bad request data: " + e);
 throw new BadRequestException(e.toString());
+} catch (CANotFoundException e) {
+// The target CA does not exist (deleted between
+// request submission and approval).
+CMS.debug("changeRequestState: CA not found: " + e);
+throw new HTTPGoneException(e.toString());
 } catch (CADisabledException e) {
 CMS.debug("changeRequestState: CA disabled: " + e);
 throw new ConflictingOperationException(e.toString());
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command

[Fraser Tweedale]

On Tue, May 10, 2016 at 02:42:52PM -0400, Ade Lee wrote:
> The patch itself is fine.
> 
> I'm just struggling with where this script should exist.
> 
> pki-server ca-cert-db-upgrade seems like an awfully generic description
> for this operation - which basically provides a very specific db
> migration.  For that matter, why not ca-db-upgrade?
> 
My thinking was that, in the future, whatever DB upgrades are needed
for a subsystem could be added to the command.

So on that, I take your point re "ca-db-upgrade" and will cut a new
patch with that command name.

> What happens the next time someone needs to do a CA DB upgrade?
> I'm almost wondering if a separate pki-db tool is needed.
> 
I think having it as part of pki-server(1) is a satisfactory fit.

> For that matter though, its possible that the database is quite large
> so attempting to do this automatically during upgrade is probably not
> advisable.
> 
We can leave it as a manual step for now (for Dogtag itself).

ipa-server-install may need to run it.  In the future, to avoid
unnecessary work, we can track which "steps" have been run (either
on disk or, preferably, in LDAP itself).  Updates themselves should
be idempotent.

> Opening up for others to chime in ..
> 
> Ade
> 
> On Tue, 2016-05-10 at 08:32 +1000, Fraser Tweedale wrote:
> > On Mon, May 09, 2016 at 04:06:46PM -0400, Ade Lee wrote:
> > > Isn't all this predicated on a schema change that adds the issuer
> > > as an
> > > optional field for the certRecord?
> > > 
> > The schema already exists but was unused.
> > 
> > > Ade
> > > 
> > > On Mon, 2016-05-09 at 17:15 +1000, Fraser Tweedale wrote:
> > > > Hi all,
> > > > 
> > > > The following patch adds a pki-server subcommand for updating
> > > > certificate records to add the issuerName attribute.
> > > > 
> > > > It is for #1667 (Database upgrade script to add issuerName
> > > > attribute
> > > > to all cert entries).
> > > > 
> > > > Follow-up question: should I (and if so, how should I) also add
> > > > an
> > > > upgrade scriptlet to perform the upgrade for Dogtag CA subsystem
> > > > on
> > > > the host?  Is there a precedent for invoking pki-server (or
> > > > subroutines thereof) from pki-server-upgrade scriptlets?
> > > > 
> > > > Cheers,
> > > > Fraser
> > > > ___
> > > > Pki-devel mailing list
> > > > Pki-devel@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0111 Lightweight CAs: remove NSSDB material when processing deletion

[Fraser Tweedale]

The attached patch makes clones delete lightweight CA keys/certs
from local NSSDB when processing LWCA deletion.

Ticket: https://fedorahosted.org/pki/ticket/2328

Thanks,
Fraser
From 96079be3caea27ab1ecd5e6486a31c5c3629 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 16 May 2016 12:20:21 +1000
Subject: [PATCH] Lightweight CAs: remove NSSDB material when processing
 deletion

When processing a CA deletion that occurred on another clone, remove
the CA's certificate and key from the local NSSDB.

Fixes: https://fedorahosted.org/pki/ticket/2328
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 18 +-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
8ef6fd4b6dc97b9108f470a38f45eec864f24015..9dc3ad060f78512bba3786a641b62182d9122553
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2850,9 +2850,13 @@ public class CertificateAuthority
 
 shutdown();
 
-// delete ldap entry
 deleteAuthorityEntry(authorityID);
+deleteAuthorityNSSDB();
+}
 
+/** Delete keys and certs of this authority from NSSDB.
+ */
+private void deleteAuthorityNSSDB() throws ECAException {
 CryptoManager cryptoManager;
 try {
 cryptoManager = CryptoManager.getInstance();
@@ -3146,6 +3150,18 @@ public class CertificateAuthority
 attr = entry.getAttribute("authorityID");
 if (attr != null) {
 aid = new AuthorityID(attr.getStringValueArray()[0]);
+CertificateAuthority ca = (CertificateAuthority) getCA(aid);
+if (ca == null)
+return;  // shouldn't happen
+
+try {
+ca.deleteAuthorityNSSDB();
+} catch (ECAException e) {
+// log and carry on
+CMS.debug(
+"Caught exception attempting to delete NSSDB material "
++ "for authority '" + aid + "': " + e);
+}
 forgetAuthority(aid);
 }
 }
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0108 Lightweight CAs: add issuer DN and serial to AuthorityData

[Fraser Tweedale]

Hi team,

Attached patch implements https://fedorahosted.org/pki/ticket/1618
(Lightweight CAs: include Issuer DN and Serial in AuthorityData).

If ACKed and we want to kick off builds of 10.3.0, please go ahead
and merge it, otherwise I'll merge it on Monday morning.

Cheers,
Fraser
From 913fced6709f30da2ac05e5367fcfc05e1698a75 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 13 May 2016 14:22:08 +1000
Subject: [PATCH] Lightweight CAs: add issuer DN and serial to AuthorityData

Add issuer DN and serial number to the AuthorityData object, as
read-only attributes.  Values are displayed in the CLI, when present
in the response data.

Fixes: https://fedorahosted.org/pki/ticket/1618
---
 .../dogtagpki/server/ca/rest/AuthorityService.java | 18 +++---
 .../netscape/certsrv/authority/AuthorityData.java  | 22 ++
 .../netscape/cmstools/authority/AuthorityCLI.java  | 14 +-
 .../cmstools/authority/AuthorityCreateCLI.java |  2 +-
 .../cmstools/authority/AuthorityDisableCLI.java|  2 +-
 .../cmstools/authority/AuthorityEnableCLI.java |  2 +-
 6 files changed, 53 insertions(+), 7 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 
29b7f78434a433360f34e9f821e6166ed19c604c..199ebef1a30c0cb946731ba448320f33611b3605
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -20,6 +20,7 @@ package org.dogtagpki.server.ca.rest;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.math.BigInteger;
 import java.security.cert.CertificateEncodingException;
 import java.util.ArrayList;
 import java.util.LinkedHashMap;
@@ -270,14 +271,14 @@ public class AuthorityService extends PKIService 
implements AuthorityResource {
 public Response enableCA(String aidString) {
 return modifyCA(
 aidString,
-new AuthorityData(null, null, null, null, true, null, null));
+new AuthorityData(null, null, null, null, null, null, true, null, 
null));
 }
 
 @Override
 public Response disableCA(String aidString) {
 return modifyCA(
 aidString,
-new AuthorityData(null, null, null, null, false, null, null));
+new AuthorityData(null, null, null, null, null, null, false, null, 
null));
 }
 
 @Override
@@ -321,7 +322,16 @@ public class AuthorityService extends PKIService 
implements AuthorityResource {
 try {
 dn = ca.getX500Name().toLdapDNString();
 } catch (IOException e) {
-throw new PKIException("Error reading CA data: could not determine 
Issuer DN");
+throw new PKIException("Error reading CA data: could not determine 
subject DN");
+}
+
+String issuerDN;
+BigInteger serial;
+try {
+issuerDN = ca.getCACert().getIssuerDN().toString();
+serial = ca.getCACert().getSerialNumber();
+} catch (EBaseException e) {
+throw new PKIException("Error reading CA data: missing CA cert", 
e);
 }
 
 AuthorityID parentAID = ca.getAuthorityParentID();
@@ -330,6 +340,8 @@ public class AuthorityService extends PKIService implements 
AuthorityResource {
 dn,
 ca.getAuthorityID().toString(),
 parentAID != null ? parentAID.toString() : null,
+issuerDN,
+serial,
 ca.getAuthorityEnabled(),
 ca.getAuthorityDescription(),
 ca.isReady()
diff --git a/base/common/src/com/netscape/certsrv/authority/AuthorityData.java 
b/base/common/src/com/netscape/certsrv/authority/AuthorityData.java
index 
84679567eb527cbf9fedd21705a72ca9c1a34a93..7d74caf97366ab79e14f9afce94041e17cea341a
 100644
--- a/base/common/src/com/netscape/certsrv/authority/AuthorityData.java
+++ b/base/common/src/com/netscape/certsrv/authority/AuthorityData.java
@@ -21,6 +21,8 @@
  */
 package com.netscape.certsrv.authority;
 
+import java.math.BigInteger;
+
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Marshaller;
 import javax.xml.bind.Unmarshaller;
@@ -70,6 +72,23 @@ public class AuthorityData {
 return parentID;
 }
 
+/* Read-only for existing CAs */
+@XmlAttribute
+protected String issuerDN;
+
+public String getIssuerDN() {
+return issuerDN;
+}
+
+
+/* Read-only attribute */
+@XmlAttribute
+protected BigInteger serial;
+
+public BigInteger getSerial() {
+return serial;
+}
+
 
 @XmlAttribute
 protected String dn;
@@ -124,12 +143,15 @@ public class AuthorityData {
 public AuthorityData(
 Boolean isHostAuthority,
 String dn, String id, String parentID,
+String issuerDN, BigInteger serial,

Re: [Pki-devel] [PATCH] 0103 Reject cert request if resultant subject DN is invalid

[Fraser Tweedale]

On Mon, May 09, 2016 at 01:19:50PM +1000, Fraser Tweedale wrote:
> The attached patch fixes https://fedorahosted.org/pki/ticket/2317.
> It will result in better error messages and help users to diagnose
> bad profile configurations (especially with IPA).
> 
> Thanks,
> Fraser
>
Acked by alee (thanks!); pushed to master
(54c18d85a778775c86bcddab4eee929719ac4d23)

> From ff7ff61c6cc97f695f3db2058bf3639014278299 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftwee...@redhat.com>
> Date: Mon, 9 May 2016 12:57:32 +1000
> Subject: [PATCH] Reject cert request if resultant subject DN is invalid
> 
> An unparseable subject DN is ignored, causing NPE in subsequent
> processing becaues the subject DN was not set.  Throw
> ERejectException if the subject DN is invalid, to ensure that a
> useful response can be returned to the requestor.
> 
> Fixes: https://fedorahosted.org/pki/ticket/2317
> ---
>  .../com/netscape/certsrv/profile/ERejectException.java   |  8 
>  .../com/netscape/cms/profile/def/SubjectNameDefault.java | 16 
> ++--
>  2 files changed, 14 insertions(+), 10 deletions(-)
> 
> diff --git 
> a/base/common/src/com/netscape/certsrv/profile/ERejectException.java 
> b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
> index 
> cceeb12ab8354b05dec0d0212d7a0f04de9e6184..1ada1c4ebca50ed79a443e2e47b3251a7303ff37
>  100644
> --- a/base/common/src/com/netscape/certsrv/profile/ERejectException.java
> +++ b/base/common/src/com/netscape/certsrv/profile/ERejectException.java
> @@ -43,4 +43,12 @@ public class ERejectException extends EProfileException {
>  public ERejectException(String msg) {
>  super(msg);
>  }
> +
> +public ERejectException(String msg, Throwable cause) {
> +super(msg, cause);
> +}
> +
> +public ERejectException(Throwable cause) {
> +super(cause.getMessage(), cause);
> +}
>  }
> diff --git 
> a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java 
> b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
> index 
> 31aee6dd6d9299438fb62493f61879f9a01dd9ed..629f4bcc10869518ff890a96fa6657565df00abe
>  100644
> --- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
> +++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectNameDefault.java
> @@ -27,6 +27,7 @@ import netscape.security.x509.X509CertInfo;
>  import com.netscape.certsrv.apps.CMS;
>  import com.netscape.certsrv.base.IConfigStore;
>  import com.netscape.certsrv.profile.EProfileException;
> +import com.netscape.certsrv.profile.ERejectException;
>  import com.netscape.certsrv.profile.IProfile;
>  import com.netscape.certsrv.property.Descriptor;
>  import com.netscape.certsrv.property.EPropertyException;
> @@ -166,19 +167,14 @@ public class SubjectNameDefault extends EnrollDefault {
>  return;
>  try {
>  name = new X500Name(subjectName);
> -} catch (IOException e) {
> -// failed to build x500 name
> -CMS.debug("SubjectNameDefault: populate " + e.toString());
> -}
> -if (name == null) {
> -// failed to build x500 name
> -}
> -try {
>  info.set(X509CertInfo.SUBJECT,
>  new CertificateSubjectName(name));
>  } catch (Exception e) {
> -// failed to insert subject name
> -CMS.debug("SubjectNameDefault: populate " + e.toString());
> +CMS.debug("SubjectNameDefault: failed to populate: " + e);
> +throw new ERejectException(CMS.getUserMessage(
> +getLocale(request),
> +"CMS_PROFILE_INVALID_SUBJECT_NAME",
> +subjectName), e);
>  }
>  }
>  }
> -- 
> 2.5.5
> 

> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0100 Fix NSSDB certificate search method

[Fraser Tweedale]

On Wed, Apr 27, 2016 at 12:35:28PM -0500, Endi Sukma Dewata wrote:
> On 4/26/2016 10:50 PM, Fraser Tweedale wrote:
> >Hi all,
> >
> >Please review the attached patch, which fixes
> >https://fedorahosted.org/pki/ticket/2301.
> >
> >Cheers,
> >Fraser
> 
> ACK.
> 
Thanks Endi; pushed to master:

970fcc3b14f3a3fd5579aaa0259d289d82cff13d Fix NSSDB certificate search method

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

[Fraser Tweedale]

On Fri, Apr 22, 2016 at 07:50:06PM -0400, John Magne wrote:
> I took a look at the stuff alee asked for.
> 
> CFU even took a quick look when I asked her a couple of questions.
> She was unsure of something (as was I) and she would like to be able
> to take a closer look next week. I will give my quick thoughts.
> 
> 1. I agree that HSM support is not in the patch, seems fine to move that
> to a future ticket.
> 
> Here is one thing I was kind of worried about:
> This is the code that imports the archive of the desired private key.
> 
> 
> ublic static PrivateKey importPKIArchiveOptions(
> +CryptoToken token, PrivateKey unwrappingKey,
> +PublicKey pubkey, byte[] data)
> +throws InvalidBERException, Exception {
> +ByteArrayInputStream in = new ByteArrayInputStream(data);
> +PKIArchiveOptions options = (PKIArchiveOptions)
> +(new PKIArchiveOptions.Template()).decode(in);
> +EncryptedKey encKey = options.getEncryptedKey();
> +EncryptedValue encVal = encKey.getEncryptedValue();
> +AlgorithmIdentifier algId = encVal.getSymmAlg();
> +BIT_STRING encSymKey = encVal.getEncSymmKey();
> +BIT_STRING encPrivKey = encVal.getEncValue();
> 
> This the wrapper object that is build off of the caSigningUnit key gotten
> in the other patch, the RetrieverThread like this:
> 
> 
> 
>  PrivateKey unwrappingKey = hostCA.mSigningUnit.getPrivateKey();
> 
> 
> 
> The code below works fine if said key is RSA. I talked over with CFU and she 
> said there
> could be a chance this key is ECC for an ECC CA.
> 
> We both think the rest of the code in this routine is fine, except for 
> possibly that.
> She is also not even sure if JSS can support an ECC private key wrapper.
> 
> She requests you guys give her a day or two to look at it.
> 
> Except for the hsm issue, the code that calls this routine in the thread 
> seems fine too.
> 
> +
> +KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
> +wrapper.initUnwrap(unwrappingKey, null);
> 
> 
> 
> 
> 
> 
> +SymmetricKey sk = wrapper.unwrapSymmetric(
> +encSymKey.getBits(), SymmetricKey.Type.DES3, 0);
> +
> +ASN1Value v = algId.getParameters();
> +v = ((ANY) v).decodeWith(new OCTET_STRING.Template());
> +byte iv[] = ((OCTET_STRING) v).toByteArray();
> +IVParameterSpec ivps = new IVParameterSpec(iv);
> +
> +wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
> +wrapper.initUnwrap(sk, ivps);
> +PrivateKey.Type keyType = pubkey.getAlgorithm().equals("EC")
> +? PrivateKey.Type.EC
> +: PrivateKey.Type.RSA;
> +return wrapper.unwrapPrivate(encPrivKey.getBits(), keyType, pubkey);
> +}
>
Pushed to master.

Christina, I know you were were/are very busy so thanks for spending
some time looking at these patches.  If you have any other questions
or concerns let me know ASAP.

24992c089b9b5088f4481fda3d01a907565b5121 Lightweight CAs: authority schema 
changes
dc8c21cc9a68968a2b1db87f9b21cf3afbdb966a Add method 
CryptoUtil.importPKIArchiveOptions
e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc Add ca-authority-key-export command
94ee373d053b34e534fbb61826e586693a38c934 Lightweight CAs: add key retrieval 
framework
a2a4117dbc7e489cbb1964d6ce5f95b786a03fde Lightweight CAs: add 
IPACustodiaKeyRetriever

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 735 Removed default certificate validity delay.

[Fraser Tweedale]

On Tue, May 03, 2016 at 02:52:50PM -0500, Endi Sukma Dewata wrote:
> On 5/2/2016 8:19 PM, Fraser Tweedale wrote:
> >On Mon, May 02, 2016 at 09:30:11AM -0500, Endi Sukma Dewata wrote:
> >>Some certificate profiles have been modified to remove the default
> >>one minute validity delay, allowing the certificate issued with
> >>those profiles to be used immediately.
> >>
> >>https://fedorahosted.org/pki/ticket/2304
> >>
> >LGTM.  Do we know what was the reason for the delay?
> >
> >Cheers,
> >Fraser
> 
> Thanks for looking. This is trivial enough so I pushed it to master.
> 
> Apparently nobody knows the original reason for the delay. Regardless, if
> anybody needs the delay the profile can still be customized as needed.
> 
> Do you think it's necessary to apply the same changes the profiles stored in
> LDAP? In that case we might need another ticket for the database upgrade.
> 
I wouldn't worry about it for now.  LDAPProfileSubsystem is only
used by FreeIPA, which doesn't use those affected profiles.

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0101 Lightweight CAs: accept "host-authority" as valid parent

[Fraser Tweedale]

The attached patch allows "host-authority" to be used as valid
reference to the host authority when creating a LWCA.  It makes life
easier for me one the FreeIPA side :)

Cheers,
Fraser
From f1860c2315f13d458a33521f78327b8c3a84a246 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 5 May 2016 16:33:52 +1000
Subject: [PATCH] Lightweight CAs: accept "host-authority" as valid parent

Accept the string "host-authority" as a valid reference to the host
authority when creating a sub-CA.  This is a convenience for users,
and for systems that do not know (and do not want to look up) the ID
of the host authority.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 .../src/org/dogtagpki/server/ca/rest/AuthorityService.java   | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 
582248d4cf284fb759c5c483810da87683862c1f..29e9a470f59b725ffbfd3cc3079d736d2b7b906a
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -179,10 +179,14 @@ public class AuthorityService extends PKIService 
implements AuthorityResource {
 public Response createCA(AuthorityData data) {
 String parentAIDString = data.getParentID();
 AuthorityID parentAID = null;
-try {
-parentAID = new AuthorityID(parentAIDString);
-} catch (IllegalArgumentException e) {
-throw new BadRequestException("Bad Authority ID: " + 
parentAIDString);
+if (AuthorityResource.HOST_AUTHORITY.equals(parentAIDString)) {
+parentAID = hostCA.getAuthorityID();
+} else {
+try {
+parentAID = new AuthorityID(parentAIDString);
+} catch (IllegalArgumentException e) {
+throw new BadRequestException("Bad Authority ID: " + 
parentAIDString);
+}
 }
 
 PKIPrincipal principal =
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [DESIGN] Lightweight CA renewal

[Fraser Tweedale]

Hullo all,

FreeIPA Lightweight CAs implementation is progressing well.  The
remaining big unknown in the design is how to do renewal.  I have
put my ideas into the design page[1] and would appreciate any and
all feedback!

[1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal

Some brief commentary on the options:

I intend to implement approach (1) as a baseline.  Apart from
implementing machinery in Dogtag to actually perform the renewal -
which is required for all the approaches - it's not much work and
gets us over the "lightweight CAs can be renewed easily" line, even
if it is a manual process.

For automatic renewal, I am leaning towards approach (2).  Dogtag
owns the lightweight CAs so I think it makes sense to give Dogtag
the ability to renew them automatically (if configured to do so),
without relying on external tools i.e. Certmonger.  But as you will
see from the outlines, each approach has its upside and downside.

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0102 Lightweight CAs: allow specifying authority via ProfileSubmitServlet

[Fraser Tweedale]

Attached patch does what it says on the tin ;)

Cheers, and have a good weekend y'all.
Fraser
From cabae0a050fb752b290ece28d5dac927f01b3c01 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 6 May 2016 16:03:57 +1000
Subject: [PATCH] Lightweight CAs: allow specifying authority via
 ProfileSubmitServlet

Lightweight CAs were supported in REST-based request submission, but
not via ProfileSubmitServlet, however, FreeIPA currently uses
ProfileSubmitServlet, so make it possible to use lightweight CAs.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 .../cms/servlet/profile/ProfileSubmitServlet.java| 20 +++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git 
a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
 
b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
index 
f7b08ece99e11f1e1633e0d67fb4646a27417d80..4096d0aecfc1eb71481d446a5809631516bc5d27
 100644
--- 
a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
+++ 
b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
@@ -33,6 +33,9 @@ import com.netscape.certsrv.authentication.EAuthException;
 import com.netscape.certsrv.authorization.EAuthzException;
 import com.netscape.certsrv.base.BadRequestDataException;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.ca.AuthorityID;
+import com.netscape.certsrv.ca.CANotFoundException;
+import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IEnrollProfile;
@@ -220,8 +223,23 @@ public class ProfileSubmitServlet extends ProfileServlet {
 CMSTemplate.escapeJavaScriptStringHTML(profileId)));
 }
 
+String aidString = request.getParameter("authorityId");
+AuthorityID aid = null;
+if (aidString != null && !aidString.isEmpty()) {
+try {
+aid = new AuthorityID(aidString);
+} catch (IllegalArgumentException e) {
+throw new BadRequestDataException("invalid AuthorityID: " + 
aidString);
+}
+ICertificateAuthority ca = (ICertificateAuthority)
+CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+ca = ca.getCA(aid);
+if (ca == null)
+throw new CANotFoundException("CA not found: " + aidString);
+}
+
 CertEnrollmentRequest data = 
CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
-return processor.processEnrollment(data, request, null, null);
+return processor.processEnrollment(data, request, aid, null);
 }
 
 public HashMap<String, Object> processRenewal(CMSRequest cmsReq) throws 
EBaseException {
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 735 Removed default certificate validity delay.

[Fraser Tweedale]

On Mon, May 02, 2016 at 09:30:11AM -0500, Endi Sukma Dewata wrote:
> Some certificate profiles have been modified to remove the default
> one minute validity delay, allowing the certificate issued with
> those profiles to be used immediately.
> 
> https://fedorahosted.org/pki/ticket/2304
> 
LGTM.  Do we know what was the reason for the delay?

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

[Fraser Tweedale]

On Thu, Apr 14, 2016 at 05:34:45PM -0400, Ade Lee wrote:
> Couple of points on 96/97.
> 
> 1. First off, I'm not sure you followed my concern about being able to
> distinguish between CA instances.
> 
> On an IPA system, this is not an issue because there is only one CA on
> the server.  In this case, I imagine there will be a well known
> directory which custodia would work with.
> 
> In general though, we have to imagine that someone could end up
> installing two different dogtag ca instances on the same server. 
>  CMS.getEEHost() would result in the same value (the hostname) for both
> CAs.  How does your helper program (or custodia) know which key to
> retrieve?
> 
Because it is running in IPA deployment, it contacts the Custodia
instance at https:///ipa/keys/... .  Note that this is
IPACustodiaKeyRetriever which is design for this purpose (and no
other).  Different setups will use a different KeyRetriever
implementation.  It is conceivable that IPACustodiaKeyRetriever
could be generalised in future.


> The way to distinguish Dogtag instances is host AND port.
> 
Re multiple Dogtag instances, uh yes I overlooked this.  For the IPA
use case it doesn't matter but I will update the code to write
`CMS.getEEHost() + ":" CMS.getEEPort()` into the authority entry.
Alternative KeyRetriever implementations can use this to
distinguish between instances.

(Or do you think separate attributes for host and port would be
better?  Not much work either way.)

> 2.  So, we're very careful that the signing keys are never in memory in
> the server.  All accesses to the system certs are through JSS/NSS which
> essentially provides us handles to the keys.
> 
> Now, I see a case where we import PKCS12 data AND the password into
> memory, so that we can import it into NSS?  Say it ain't so ..
> 
> With custodia, we have a secure mechanism of transferring the keys from
> one server to another. It makes more sense to me to have the server
> kick off the custodia transfer and then have that process also import
> into the NSS db.  The server would then need to await status from the
> custodia/retriever process - and then initialize the signing unit from
> the NSS DB.  Or am I completely confused?
> 
In the original implementation, Custodia put the key directly into
the NSSDB.  Unfortunately, Dogtag could not observe the key unless
restarted (highly undesirable).  I did not deeply investigate why (I
guess some sort of caching or locking) - but I did not find a
workaround.  Even logging out and back into the Token did not help
(and caused other issues, like dropped or failed TLS connections in
other threads).

So I reluctantly redesigned it to what you see now, which works
- but I did not see the (obvious, in hindsight) problem.

Let's chat on IRC about it.  I will probably need the help of
NSS/JSS gurus to make the former approach work.

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Trac; add "Lightweight CAs" feature?

[Fraser Tweedale]

Hi all,

Could someone with the relevant permissions please add a
"Lightweight CAs" feature to the pki trac?  There's a substantial
quantity of outstanding tickets for this feature so it would be good
to have something more formal than the summary by which to group
them.

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

[Fraser Tweedale]

Thanks Ade.  Updated patch 0096 attached.  Comments inline.

On Wed, Apr 20, 2016 at 11:30:52AM -0400, Ade Lee wrote:
> Comments:
> 
> 95 - ack
> 
> 96 -
> 
> 1. You have made the return type of initSigUnit() to be boolean. 
>  Should you be checking the return value in init()?
> 
It is not needed to check it here; only when re-entering init from
the KeyReplicatorRunner thread.

> 2. In addInstanceToAuthorityKeyHosts(), you are still using only the
> hostname.  Should be host:port
> 
Good pickup.  Fixed in latest patch.

> 3. The logic in the KeyRetrieverRunner class looks OK to me, but I'd
> like cfu and/or jmagne to check it and make sure we are calling the
> right primitives to wrap/unwrap inside the cryptographic token.
> 
> Also I'd like them to confirm that this would wor for an HSM.
> Statements like the following make me question that:
>CryptoToken token = manager.getInternalKeyStorageToken()
> 
It won't work on HSM.  Can I get an HSM to test with? ;) I've filed
a ticket for HSM support[1].  FreeIPA does not yet support HSM[2] so
I think we can put it in 10.4 milestone (I've put it there for now).

[1] https://fedorahosted.org/pki/ticket/2292
[2] https://fedorahosted.org/freeipa/ticket/5608

> 4. Can you explain what happens if for some reason the script fails to
> retrieve the key?  Do we end up retrying later and if so, when?
> 
If the script fails to retrieve the key, it does not retry
automatically.  I filed a ticket[3] to implement retry with
backoff (this patchset is big enough already!) and put it in
10.3.1 milestone (that's up for discussion).

[3] https://fedorahosted.org/pki/ticket/2293

Right now, the following events cause authority reinitialisation,
entailing key retrieval if necessary:

- Dogtag is restarted
- LDAP disconnect-reconnect
- LDAP modification of authority replicated from another clone

> 97- ACK
> 
> 98 - ACK
>  
Thanks.  Any feedback on patch 0099?
From a256168d91c799d37e1e4f6e7af8dfb97b4340be Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 30 Mar 2016 12:38:24 +1100
Subject: [PATCH] Lightweight CAs: add key retrieval framework

Add the framework for key retrieval when a lightweight CA is missing
its signing key.  This includes all the bits for loading a
KeyRetriever implementation, initiating retrieval in a thread and
updating the record of which clones possess the key if retrieval was
successful.

It does not include a KeyRetriever implementation.  A subsequent
commit will provide this.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 .../src/com/netscape/ca/CertificateAuthority.java  | 162 -
 base/ca/src/com/netscape/ca/KeyRetriever.java  |  56 +++
 .../src/netscape/security/pkcs/PKCS12Util.java |   3 +
 3 files changed, 215 insertions(+), 6 deletions(-)
 create mode 100644 base/ca/src/com/netscape/ca/KeyRetriever.java

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
37f1e95fc97f3d21ec6dc379962e27b42fb5b074..253c4bb323692b8e9fe8bd87e202d71afb810c67
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -35,6 +35,7 @@ import java.security.cert.CertificateException;
 import java.security.cert.CertificateParsingException;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.Enumeration;
@@ -62,8 +63,10 @@ import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.KeyPairAlgorithm;
 import org.mozilla.jss.crypto.KeyPairGenerator;
 import org.mozilla.jss.crypto.NoSuchItemOnTokenException;
+import org.mozilla.jss.crypto.PrivateKey;
 import org.mozilla.jss.crypto.SignatureAlgorithm;
 import org.mozilla.jss.crypto.TokenException;
+import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.pkix.cert.Extension;
 import org.mozilla.jss.pkix.primitive.Name;
 
@@ -205,6 +208,7 @@ public class CertificateAuthority
 protected AuthorityID authorityID = null;
 protected AuthorityID authorityParentID = null;
 protected String authorityDescription = null;
+protected Collection authorityKeyHosts = null;
 protected boolean authorityEnabled = true;
 private boolean hasKeys = false;
 private ECAException signingUnitException = null;
@@ -340,6 +344,7 @@ public class CertificateAuthority
 AuthorityID aid,
 AuthorityID parentAID,
 String signingKeyNickname,
+Collection authorityKeyHosts,
 String authorityDescription,
 boolean authorityEnabled
 ) throws EBaseException {
@@ -355,6 +360,7 @@ public class CertificateAuthority
 this.authorityDescription = authorityDescription;
 this.authorityEnabled = authorityEnabled;
 

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

[Fraser Tweedale]

Both issues addressed in latest patchset.  Two new patches in the
mix; the order is:

0095-4, 0098, 0099, 0096-4, 0097-3 (tip)

I also added another attribute to schema for the authority
certificate serial number.  It is not used in current code but I
have a hunch it may be needed for renewal, so I'm adding it now.

Thanks,
Fraser

On Thu, Apr 14, 2016 at 05:34:45PM -0400, Ade Lee wrote:
> Couple of points on 96/97.
> 
> 1. First off, I'm not sure you followed my concern about being able to
> distinguish between CA instances.
> 
> On an IPA system, this is not an issue because there is only one CA on
> the server.  In this case, I imagine there will be a well known
> directory which custodia would work with.
> 
> In general though, we have to imagine that someone could end up
> installing two different dogtag ca instances on the same server. 
>  CMS.getEEHost() would result in the same value (the hostname) for both
> CAs.  How does your helper program (or custodia) know which key to
> retrieve?
> 
> The way to distinguish Dogtag instances is host AND port.
> 
> 2.  So, we're very careful that the signing keys are never in memory in
> the server.  All accesses to the system certs are through JSS/NSS which
> essentially provides us handles to the keys.
> 
> Now, I see a case where we import PKCS12 data AND the password into
> memory, so that we can import it into NSS?  Say it ain't so ..
> 
> With custodia, we have a secure mechanism of transferring the keys from
> one server to another. It makes more sense to me to have the server
> kick off the custodia transfer and then have that process also import
> into the NSS db.  The server would then need to await status from the
> custodia/retriever process - and then initialize the signing unit from
> the NSS DB.  Or am I completely confused?
> 
> Ade
> 
> 
> 
> On Thu, 2016-04-14 at 16:35 -0400, Ade Lee wrote:
> > Still reviewing .. ACK on 87-95 (inclusive).
> > 
> > On Thu, 2016-04-14 at 16:18 +1000, Fraser Tweedale wrote:
> > > On Thu, Apr 14, 2016 at 09:04:31AM +1000, Fraser Tweedale wrote:
> > > > On Wed, Apr 13, 2016 at 05:26:44PM -0400, Ade Lee wrote:
> > > > > Still reviewing ..
> > > > > 
> > > > > See comment on 87.  ACK on 88,89,90,91,92,93, 94, 95.
> > > > > 
> > > > > Ade
> > > > > 
> > > > > On Mon, 2016-04-11 at 12:32 +1000, Fraser Tweedale wrote:
> > > > > > Thanks for review, Ade.  Comments to specific feedback
> > > > > > inline.
> > > > > > Rebased and updated patches attached.  The substantive
> > > > > > changes
> > > > > > are:
> > > > > > 
> > > > > > - KeyRetriever implementations are now required NOT to import
> > > > > > the
> > > > > >   key themselves.  Instead the API is updated with
> > > > > >   KeyRetriever.retrieveKey returning a Result, which contains
> > > > > > PKCS
> > > > > >   #12 data and password for same.
> > > > > > 
> > > > > > - KeyRetrieverRunner reads the Result and imports the PKCS
> > > > > > #12
> > > > > > into
> > > > > >   NSSDB.
> > > > > > 
> > > > > > - Added new patch 0097 which provides the
> > > > > > IPACustodiaKeyRetriever
> > > > > >   and assoicated Python helper script.  It depends on an
> > > > > > unmerged
> > > > > >   FreeIPA patch[1] as well as a particular principal and
> > > > > > associated
> > > > > >   keytab and Custodia keys existing.  I'm working on FreeIPA
> > > > > > updates
> > > > > >   to satisfy these requirements automatically on install or
> > > > > > upgrade
> > > > > >   but if you want to test this patch LMK and I'll provide
> > > > > > detailed
> > > > > >   instructions.
> > > > > > 
> > > > > >   [1] 
> > > > > > https://www.redhat.com/archives/freeipa-devel/2016-April/msg0
> > > > > > 00
> > > > > > 55.html
> > > > > > 
> > > > > > Other comments inline.
> > > > > > 
> > > > > > Cheers,
> > > > > > Fraser
> > > > > > 
> > > > > > On Fri, Apr 08, 2016 at 11:16:19AM -0400, Ade Lee wrote:
> > > > > > > 
> > >

Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support

[Fraser Tweedale]

On Wed, Apr 13, 2016 at 05:26:44PM -0400, Ade Lee wrote:
> Still reviewing ..
> 
> See comment on 87.  ACK on 88,89,90,91,92,93, 94, 95.
> 
> Ade
> 
> On Mon, 2016-04-11 at 12:32 +1000, Fraser Tweedale wrote:
> > Thanks for review, Ade.  Comments to specific feedback inline.
> > Rebased and updated patches attached.  The substantive changes are:
> > 
> > - KeyRetriever implementations are now required NOT to import the
> >   key themselves.  Instead the API is updated with
> >   KeyRetriever.retrieveKey returning a Result, which contains PKCS
> >   #12 data and password for same.
> > 
> > - KeyRetrieverRunner reads the Result and imports the PKCS #12 into
> >   NSSDB.
> > 
> > - Added new patch 0097 which provides the IPACustodiaKeyRetriever
> >   and assoicated Python helper script.  It depends on an unmerged
> >   FreeIPA patch[1] as well as a particular principal and associated
> >   keytab and Custodia keys existing.  I'm working on FreeIPA updates
> >   to satisfy these requirements automatically on install or upgrade
> >   but if you want to test this patch LMK and I'll provide detailed
> >   instructions.
> > 
> >   [1] https://www.redhat.com/archives/freeipa-devel/2016-April/msg000
> > 55.html
> > 
> > Other comments inline.
> > 
> > Cheers,
> > Fraser
> > 
> > On Fri, Apr 08, 2016 at 11:16:19AM -0400, Ade Lee wrote:
> > > 
> > > 0087
> > > 
> > > 1. In SigningUnit.java -- you catch an ObjectNotFound exception and
> > > rethrow that as a CAMissingKey exception.  Is that the only way the
> > > ObjectNotFound exception can be thrown?  What if the key is present
> > > but
> > > the cert is not?  Can we refactor here to ensure that the correct
> > > exception is thrown?
> > > 
> > One can't get additional info out of ObjectNotFound without
> > inspecting the String message, which I'm not comfortable doing.  The
> > key retrieval system should import key and cert at same time so I've
> > renamed the exception to CAMissingKeyOrCert for clarity.
> > 
> 
> Well, you can always nest exceptions like so :
> 
>   mToken.login(cb); // ONE_TIME by default.
> 
> try {
> mCert = mManager.findCertByNickname(mNickname);
> CMS.debug("Found cert by nickname: '" + mNickname + "' with 
> serial number: " + mCert.getSerialNumber());
> 
> mCertImpl = new X509CertImpl(mCert.getEncoded());
> CMS.debug("converted to x509CertImpl");
> } catch (ObjectNotFoundException e) {
> throw new CAMissingCertException();
> }
> 
> try {
> mPrivk = mManager.findPrivKeyByCert(mCert);
> CMS.debug("Got private key from cert");
> } catch (ObjectNotFoundException e) {
>throw new CAMissingKeyException();
> }
> 
> 
> The only reason that I suggest this is that I could imagine this kind
> of differentiation being useful in debugging failed custodia
> replications.  If you think otherwise, I'm prepare to be convinced
> otherwise.
> 
I think a scenario where we get key but not cert, or vice versa, is
unlikely (Custodia gives us a PKCS #12 file with both).  However,
your suggestion should work and it is a relatively small change.
I'll cut a new patchset with this change today, along with the
rebase.

Cheers,
Fraser

> > > 0088:
> > > 
> > > 2. What does dbFactory.reset() do and does it need to be called in
> > > a
> > > cleanup routine somewhere?  Are we leaking resources?
> > > 
> > > Answered I think on IRC.  It just terminates any current
> > > connections -
> > > but do we need to call it on CA shutdown?
> > > 
> > dbFactory.reset() is already called in the shutdown() method.  (Only
> > the host authority calls it).
> > 
> > > 0089:  ACK
> > > 
> > > 0090:  ACK
> > > 
> > > 0091: ACK (with proviso below)
> > > 
> > > 3. Not super-crazy about the names of the methods
> > > commitAuthority(),
> > > commitModifyAuthority and deleteAuthorityEntry().  They are not
> > > very
> > > consistent.  I would suggest addAuthorityEntry(),
> > > modifyAuthorityEntry() and deleteAuthorityEntry() instead.
> > > 
> > Done.
> > 
> > > 0092: ACK (with following proviso)
> > > 
> > > 4. Talking with Nathan about this, he suggested that syncrepl is
> > 

[Pki-devel] [PATCH] 0128 Fix CA OCSP responder when LWCA's are not in use

[Fraser Tweedale]

Hi team,

The attached patch fixes https://fedorahosted.org/pki/ticket/2420.

Thanks,
Fraser
From 86030eb0c231734a3020b201a9be60e84d023e75 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 26 Jul 2016 14:07:10 +1000
Subject: [PATCH] Fix CA OCSP responder when LWCAs are not in use

The CA subsystem OCSP responder was updated to handle dispatching
OCSP requests to the relevant CertificateAuthority instance,
according to the issuer of the certificates identified in the
request.  Unfortunately, the updated routine assumes that the
database updates that enable lightweight CAs have occurred.  If they
have not, the OCSP responder always fails.

Fix the issue by inferring that if 'caMap' is empty, lightweight CAs
are not in use, the current instance is the one and only CA, and
proceed straight to validation.

Fixes: https://fedorahosted.org/pki/ticket/2420
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
502ab1856352fb26ed480a3a54d59ffca5facdb3..a5397da0c0dcea654a15f16e5becc5c430a1bb29
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2240,6 +2240,10 @@ public class CertificateAuthority
  * employ some heuristic to deal with this case. Our
  * heuristic is:
  *
+ * 0. If caMap contains no CAs, then lightweight CAs are not
+ *enabled.  There is only one CA, and 'this' is it.  Go
+ *straight to validation.
+ *
  * 1. Find the issuer of the cert identified by the first
  *CertID in the request.
  *
@@ -2254,7 +2258,7 @@ public class CertificateAuthority
  *aggregate OCSP response.
  */
 ICertificateAuthority ocspCA = this;
-if (tbsReq.getRequestCount() > 0) {
+if (caMap.size() > 0 && tbsReq.getRequestCount() > 0) {
 com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(0);
 BigInteger serialNo = req.getCertID().getSerialNumber();
 X509CertImpl cert = mCertRepot.getX509Certificate(serialNo);
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Added fix for pki-server for db-update

[Fraser Tweedale]

On Thu, Jul 14, 2016 at 03:51:18PM +0530, Geetika Kapoor wrote:
> 
> 
> On 07/14/2016 03:02 PM, Geetika Kapoor wrote:
> >
> > On 07/14/2016 01:53 PM, Fraser Tweedale wrote:
> >> On Thu, Jul 14, 2016 at 06:01:51PM +1000, Fraser Tweedale wrote:
> >>> On Thu, Jul 14, 2016 at 01:05:18PM +0530, Geetika Kapoor wrote:
> >>>> On 07/14/2016 11:38 AM, Geetika Kapoor wrote:
> >>>>> On 07/14/2016 10:06 AM, Fraser Tweedale wrote:
> >>>>>> On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> Please review this patch.Below is a small summary about this fix and
> >>>>>>> what we are trying to achieve.
> >>>>>>>
> >>>>>>> CLI :  pki-server db-upgrade
> >>>>>>>
> >>>>>>> what it should be doing is if it sees that issuerName doesn't 
> >>>>>>> exist,NULL
> >>>>>>> it will add it itself.
> >>>>>>>
> >>>>>>> Operation 1 : Search for the empty cn value for issuerName
> >>>>>>> ---
> >>>>>>>
> >>>>>>> Current :   '(&(objectclass=certificateRecord)(issuerName=*))  -- I
> >>>>>>> tried this it didn't show data even if i have record with empty 
> >>>>>>> issuerName
> >>>>>>>
> >>>>>> Hi Geetika,
> >>>>>>
> >>>>>> The current filter is actually:
> >>>>>>
> >>>>>>   '(&(objectclass=certificateRecord)(!(issuerName=*)))',
> >>>>>>
> >>>>>> This should match entries missing the issuerName attribute.  You
> >>>>>> talk about an entry with "empty issuerName" but empty strings are
> >>>>>> not allowed for the Directory String attribute type.  Could you
> >>>>>> please clarify exactly what data is in the offending entry/entries
> >>>>>> and how it got there?
> >>>>> Hi Fraser,
> >>>>>
> >>>>> If we disable syntax check in ldap dse.ldif , it will accept empty
> >>>>> data as well.So if a end user disable syntax check,issuerName can be
> >>>>> empty in that case.(a test case that i tried)
> >>>>> So in that case db-update will never happen because that condition is
> >>>>> not considered.This scenario can be reproduced using below ldif file.
> >>>>>
> >>>>> 
> >>>>>
> >>>>> dn: cn=106,ou=certificateRepository,ou=ca,o=pkitest-CA
> >>>>> objectClass: certificateRecord
> >>>>> objectClass: top
> >>>>> cn: 106
> >>>>> algorithmId: 1.2.840.113549.1.1.1
> >>>>> autoRenew: ENABLED
> >>>>> certStatus: VALID
> >>>>> dateOfCreate: 20160712084443Z
> >>>>> dateOfModify: 20160712084443Z
> >>>>> duration: 113153600
> >>>>> issuedBy:   geetika20
> >>>>> *issuerName: *  
> >>>>> metaInfo: requestId:100
> >>>>> notAfter: 20170712084205Z
> >>>>> notBefore: 20160712084205Z
> >>>>> publicKeyData::
> >>>>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu0Hlk6SdMnyr0Igq
> >>>>> serialno: 100
> >>>>> signingAlgorithmId: 1.2.840.113549.1.1.11
> >>>>> subjectName: CN=CS Administrator,C=US
> >>>>> userCertificate;binary::
> >>>>> MIIC6DCCAdCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBHMSQwIgY
> >>>>> version: 2
> >>>>>
> >>>>> 
> >>>>>
> >>>>> So in such a case using
> >>>>> '(&(objectclass=certificateRecord)(!(issuerName=*)))',will not able to
> >>>>> search for such entries.I tried and it gives me empty data .I believe
> >>>>> using (&(objectclass=certificateRecord)
> >>>>> (!(issuerName=*))(!(issuerName=cn*))) can solve that purpose.
> >>>>>
> >>>>> Thanks
> >>>>> Geetika
> >>>> Hi Frazer,
> >>>>
> >>>> I just did one quick round of testing .If we have
> >>>> '(&(objectclass=certificateRecord)(!(issuerName=cn*)))', it will work in
> >>>> both cases :
> >>>>
> >>>> 1. When issuerName doesn't exist.
> >>>> 2. When issuserName field exist but has empty value.
> >>>>
> >>>> Thanks
> >>>> Geetika
> >>>>
> >>> I still disagree that it is the right approach, because it may do
> >>> unnecessary work for records that already have an issuerName that
> >>> does not start with "cn".
> >>>
> >>> Is it even necessary to support cases where customer has disabled
> >>> syntax checking?  Nevertheless, let me disable syntax checking on
> >>> one of my instances and see if I can find a better filter.
> >>>
> >> Please try this filter:
> >>
> >> (&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=)))
> >>
> >> It will find only certificates with missing or empty issuername
> >> attribute.  Does it work as expected for you, Geetika?
> > Let me try Frazer..
> >
> > Thanks
> 
> Thanks Frazer for helping in giving a better solution .
>
You're welcome.  ACK, and pushed to master:

c3ff087bd07cde4cd272defad499fd4d8367e5c1

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Added fix for pki-server for db-update

[Fraser Tweedale]

On Wed, Jul 13, 2016 at 04:36:26PM +0530, Geetika Kapoor wrote:
> Hi,
> 
> Please review this patch.Below is a small summary about this fix and
> what we are trying to achieve.
> 
> CLI :  pki-server db-upgrade
> 
> what it should be doing is if it sees that issuerName doesn't exist,NULL
> it will add it itself.
> 
> Operation 1 : Search for the empty cn value for issuerName
> ---
> 
> Current :   '(&(objectclass=certificateRecord)(issuerName=*))  -- I
> tried this it didn't show data even if i have record with empty issuerName
> 
Hi Geetika,

The current filter is actually:

  '(&(objectclass=certificateRecord)(!(issuerName=*)))',

This should match entries missing the issuerName attribute.  You
talk about an entry with "empty issuerName" but empty strings are
not allowed for the Directory String attribute type.  Could you
please clarify exactly what data is in the offending entry/entries
and how it got there?

> Modified :  (&(objectclass=certificateRecord)(!(issuerName=cn*)))'   --
> This solves the purpose as it shows all the certs without issuerName
> 
This filter is wrong - it does match entries without issuerName (as
intended), but also matches entries with issuerName set but not
starting with "cn".

> 
> Operation 2 : If we see a empty cn value , we are replacing it with
> value we get from code
> --
> < code>
> 
> cert = nss.Certificate(bytearray(attr_cert[0]))
> issuer_name = str(cert.issuer)
> 
> 
> 
> Current : we are updating the list it the format as mentioned 
> 'issuerName': ['', 'CN=CA Signing Certificate,O=example.com Security
> Domain']
> 
> Do we want to keep this behavior or we want to overwrite it in first
> place? I believe in place of we do it MOD_REPLACE.
> 
>  conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName',
> issuer_name)])
> >
> 
> Modified : onn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName',
> issuer_name)])
> 
This change is OK.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] JSS/NSS

[Fraser Tweedale]

On Fri, Aug 05, 2016 at 10:10:22AM -0700, George Wash wrote:
> Are there any plans on the dogtag roadmap to ever migrate away from using
> JSS/NSS?
> 
Hi George,

I dont't think there are any such plans.  Why do you ask?

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 10:10:32AM -0500, Endi Sukma Dewata wrote:
> On 6/22/2016 4:53 AM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2285.
> > See commit message and bz1323400[1] for full history and details.
> > 
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1323400
> > 
> > The fix should be merged to master and DOGTAG_10_2_BRANCH, and a new
> > 10.2.x release cut for f23.
> > 
> > I have an f23 COPR build containing the fix for anyone wishing to
> > test:
> > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/packages/
> > 
> > Huge props to Adam Williamson for doing a lot of legwork in tracking
> > down the cause of this issue.
> > 
> > Thanks,
> > Fraser
> 
> ACK. When we have a proper database upgrade method we should consider
> converting this code into an upgrade script.
> 
Thanks; pushed:

master  2dea243d51765e3a8f01f7680592143c842921ce
DOGTAG_10_2_BRANCH  c34d326712940524419d65c6cb6cc9653221362b
DOGTAG_10_2_6_BRANCHf0d036feb9604cc656b3b8ae46c822bec14e6ac8

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 10:49:12AM -0500, Endi Sukma Dewata wrote:
> On 6/27/2016 9:52 PM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2388.
> > Wanted for 10.3.4.
> > 
> > Thanks,
> > Fraser
> 
> Two things:
> 
> 1. I don't think the patch author is correct :)
> 
Hah, yikes!  I think I accidentally squashed something and didn't
notice the author had changed after I fixed it up :)

> 2. Existing issue, but while you're there could you chain the original
> exception to the ECAException?
> 
Yep, done.  Pushed to master
(c7f9e6c4e0711dfafc81d201dcfadee3e0efa335)

Cheers,
Fraser

> Assuming they're addressed, ACK.
>

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 780 Fixed pki-server subsystem-cert-update.

[Fraser Tweedale]

On Wed, Jun 29, 2016 at 11:19:46AM -0500, Endi Sukma Dewata wrote:
> The pki-server subsystem-cert-update is supposed to restore the
> system certificate data and requests into CS.cfg. The command was
> broken since the CASubsystem class that contains the code to find
> the certificate requests from database was not loaded correctly.
> To fix the problem the CASubsystem class has been moved into the
> pki/server/__init__.py.
> 
> All pki-server subsystem-* commands have been modified to check
> the validity of the instance.
> 
> An option has been added to the pki-server subsystem-cert-show
> command to display the data and request of a particular system
> certificate.
> 
> The redundant output of the pki-server subsystem-cert-update has
> been removed. The updated certificate data and request can be
> obtained using the pki-server subsystem-cert-show command.
> 
> https://fedorahosted.org/pki/ticket/2385
> 
ACK; pushed to master (67bbdc5edd1404f89e638037599b4231f50490f8).

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands.

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote:
> The pki-server ca-* commands have been modified to validate
> the instance and the CA subsystem before proceeding with the
> operation.
> 
> The usage() methods and invocations have been renamed into
> print_help() for consistency.
> 
> https://fedorahosted.org/pki/ticket/2364
> 
> -- 
> Endi S. Dewata
>
ACK; pushed to master (f8310a4ff306d28cf25ec71693a2e89c5323564d).

There are still lots of pki-server commands that fail if invalid
subsystem given, e.g.:

# pki-server subsystem-cert-find kra

AttributeError: 'NoneType' object has no attribute 'find_system_certs'

But that can be addressed separately in future patch.

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

[Fraser Tweedale]

Hi all,

The attached patches implement the long-desired feature to copy CN
to SubjectAltName (https://fedorahosted.org/pki/ticket/1710).

I've also pushed the branch to my GitHub repo; feel free to review
the patches there:
https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san

Thanks,
Fraser
From 3f913b1857712dd0a962d42f56f29d7faebf244e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 1 Feb 2017 16:15:39 +1000
Subject: [PATCH 151/155] DNSName: add method to get value

To implement a profile default that copies CN to SAN dNSName, we
need to examine existing dNSName values.  To support this, add the
'getValue()' method to 'DNSName'.

Part of: https://fedorahosted.org/pki/ticket/1710
---
 base/util/src/netscape/security/x509/DNSName.java | 8 
 1 file changed, 8 insertions(+)

diff --git a/base/util/src/netscape/security/x509/DNSName.java 
b/base/util/src/netscape/security/x509/DNSName.java
index 
361c23571f423f635e2026c64c7bcf902f5ff3be..2161adf3701a554040ca4afc5b0c39337ed8452a
 100644
--- a/base/util/src/netscape/security/x509/DNSName.java
+++ b/base/util/src/netscape/security/x509/DNSName.java
@@ -79,4 +79,12 @@ public class DNSName implements GeneralNameInterface {
 public String toString() {
 return ("DNSName: " + name);
 }
+
+/**
+ * Get the raw DNSName value.
+ */
+public String getValue() {
+return name;
+}
+
 }
-- 
2.9.3

From aaa8d03d36f31894fed3c8d9c7b5126ac5417774 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 1 Feb 2017 16:17:51 +1000
Subject: [PATCH 152/155] GeneralName: add method to get at inner value

The 'GeneralNameInterface' interface represents a single X.509
General Name value.  Various types are supported.  The 'GeneralName'
class (which also implements 'GeneralNameInterface') is a singleton
container for another 'GeneralNameInterface' value.

To implement a profile component that copies CN to a SAN dNSName, we
need to examine existing General Names in the SAN extension (if
present), to avoid duplicate values.  We can iterate 'GeneralNames',
but if the value is of type 'GeneralName' we need a way to "unwrap"
the value, down to the innermost value which will be of a specific
General Name type.

Add the 'unwrap' method to 'GeneralName'.

Part of: https://fedorahosted.org/pki/ticket/1710
---
 base/util/src/netscape/security/x509/GeneralName.java | 15 +++
 1 file changed, 15 insertions(+)

diff --git a/base/util/src/netscape/security/x509/GeneralName.java 
b/base/util/src/netscape/security/x509/GeneralName.java
index 
a90ac7bf259b519c91bb2f67cf159f7b4178b182..55b5bfcf304c0c8ccf893f9a6ef70d2e5c2ee0e2
 100644
--- a/base/util/src/netscape/security/x509/GeneralName.java
+++ b/base/util/src/netscape/security/x509/GeneralName.java
@@ -196,4 +196,19 @@ public class GeneralName implements GeneralNameInterface {
  constructedForm, (byte) nameType), tmp);
 }
 }
+
+/**
+ * Unwrap this GeneralName until we reach something that is not
+ * a GeneralName.
+ */
+public GeneralNameInterface unwrap() {
+if (this == name)
+return null;  // can't happen, but just in case...
+
+if (name instanceof GeneralName)
+return ((GeneralName) name).unwrap();
+else
+return name;
+}
+
 }
-- 
2.9.3

From 805b2e2d753f86c39af225d13c7614974e10c154 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 1 Feb 2017 16:25:11 +1000
Subject: [PATCH 153/155] SubjectAlternativeNameExtension: add GeneralNames
 getter/setter

To implement a profile default that copies CN to SAN dNSName, we
need to read and set the 'GeneralNames' of the extension.  This can
be done via the 'get' and 'set' methods but this interface is
awkward and requires the caller to deal with exceptions that aren't
fundamental to the get/set actions.

Add the 'setGeneralNames' and 'getGeneralNames' methods.

Part of: https://fedorahosted.org/pki/ticket/1710
---
 .../security/x509/SubjectAlternativeNameExtension.java| 15 +++
 1 file changed, 15 insertions(+)

diff --git 
a/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java 
b/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java
index 
d96c821604308c11723644e8842e1dcc6f224034..82f87e1ef647496353f598a33290d6dcfb5e8f04
 100644
--- a/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java
+++ b/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java
@@ -199,6 +199,21 @@ public class SubjectAlternativeNameExtension extends 
Extension
 }
 
 /**
+ * Set the GeneralNames of this extension.
+ */
+public void setGeneralNames(GeneralNames names) {
+clearValue();
+this.names = names;
+}
+
+/**
+ * Get the GeneralNames of this extension.
+ */
+ 

[Pki-devel] [PATCH] 0156 Remove unused dependency from tomcat classes build

[Fraser Tweedale]

Pushed under one-liner/trivial rule.

Thanks,
Fraser
From 463be6afd824f39c9e02881d7b9b168cd92093a1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 7 Feb 2017 10:31:32 +1000
Subject: [PATCH 156/158] Remove unused dependency from tomcat classes build

---
 base/server/tomcat/src/CMakeLists.txt | 1 -
 1 file changed, 1 deletion(-)

diff --git a/base/server/tomcat/src/CMakeLists.txt 
b/base/server/tomcat/src/CMakeLists.txt
index 
21d1c63311a7d2a6d0ad0b0f977ecdd6f45484b7..087bcd9acd7f0be8de274c9716466e3920bc3f52
 100644
--- a/base/server/tomcat/src/CMakeLists.txt
+++ b/base/server/tomcat/src/CMakeLists.txt
@@ -114,5 +114,4 @@ javac(pki-tomcat-classes
 OUTPUT_DIR
 ${CMAKE_BINARY_DIR}/../../tomcat
 DEPENDS
-pki-tools-jar
 )
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0157..0158 authToken-related refactors

[Fraser Tweedale]

Please review attached patches; a couple of small refactors to ease
upcoming GSS-API work.

Thanks,
Fraser
From 71a94aba941b395a07a849eacb125b9657f70f59 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 7 Feb 2017 11:38:03 +1000
Subject: [PATCH 157/158] Define AgentCertAuthentication token keys in
 IAuthToken

Small refactor to define the auth token keys set by
AgentCertAuthentication in IAuthToken, so that consumers do not need
to import AgentCertAuthentication directly, or redefine the
constants.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../com/netscape/certsrv/authentication/IAuthToken.java |  3 +++
 .../cms/authentication/AgentCertAuthentication.java | 17 +
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git 
a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java 
b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
index 
a3f240e9c35987462eb2f176de650a769df1005c..59c6af20c32e2ae7b94fb80208539c01303a9fcd
 100644
--- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
@@ -37,8 +37,11 @@ public interface IAuthToken {
 /**
  * Constant for userid.
  */
+public static final String USER = "user";
+public static final String USER_DN = "userdn";
 public static final String USER_ID = "userid";
 public static final String UID = "uid";
+public static final String GROUP = "group";
 public static final String GROUPS = "groups";
 
 /* Subject name of the certificate in the authenticating entry */
diff --git 
a/base/server/cms/src/com/netscape/cms/authentication/AgentCertAuthentication.java
 
b/base/server/cms/src/com/netscape/cms/authentication/AgentCertAuthentication.java
index 
c65dd397148c989fd9aa4d0e1e4ae7faf735342d..b7fafc895781e4bc950fa60b03444a6ad33248c7
 100644
--- 
a/base/server/cms/src/com/netscape/cms/authentication/AgentCertAuthentication.java
+++ 
b/base/server/cms/src/com/netscape/cms/authentication/AgentCertAuthentication.java
@@ -57,13 +57,6 @@ import com.netscape.certsrv.usrgrp.IUser;
 public class AgentCertAuthentication implements IAuthManager,
 IProfileAuthenticator {
 
-/* result auth token attributes */
-public static final String TOKEN_USERDN = "user";
-public static final String TOKEN_USER_DN = "userdn";
-public static final String TOKEN_USERID = "userid";
-public static final String TOKEN_UID = "uid";
-public static final String TOKEN_GROUP = "group";
-
 /* required credentials */
 public static final String CRED_CERT = IAuthManager.CRED_SSL_CLIENT_CERT;
 protected String[] mRequiredCreds = { CRED_CERT };
@@ -225,11 +218,11 @@ public class AgentCertAuthentication implements 
IAuthManager,
 throw new 
EInvalidCredentials(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR"));
 }
 }
-authToken.set(TOKEN_USERDN, user.getUserDN());
-authToken.set(TOKEN_USER_DN, user.getUserDN());
-authToken.set(TOKEN_USERID, user.getUserID());
-authToken.set(TOKEN_UID, user.getUserID());
-authToken.set(TOKEN_GROUP, groupname);
+authToken.set(IAuthToken.USER, user.getUserDN());
+authToken.set(IAuthToken.USER_DN, user.getUserDN());
+authToken.set(IAuthToken.USER_ID, user.getUserID());
+authToken.set(IAuthToken.UID, user.getUserID());
+authToken.set(IAuthToken.GROUP, groupname);
 authToken.set(CRED_CERT, certs);
 
 CMS.debug("AgentCertAuthentication: authenticated " + 
user.getUserDN());
-- 
2.9.3

From 04df8149e4caea2ace84e81b5b166be637f0b00d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 7 Feb 2017 11:47:54 +1000
Subject: [PATCH 158/158] CertProcessor: extract method setAuthTokenIntoRequest

The "set auth token into request" logic is extensive and warrants
extraction.  It also has a separate concern mixed in with it: the
self-assignment of the request if the authenticated user is a
"Registration Manager Agent".

Separate these concerns and extract the setAuthTokenIntoRequest
method.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../netscape/cms/servlet/cert/CertProcessor.java   | 68 +++---
 1 file changed, 34 insertions(+), 34 deletions(-)

diff --git 
a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java 
b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
index 
026f4d4af5c2316ae8a93b2ecc62bc398d3b8b71..47b522208af05486a22abdd6196d8385dd615857
 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
@@ -116,6 +116,30 @@ public class CertProcessor e

[Pki-devel] [PATCH] 0159..0161 Fix config param removal in profile modification

[Fraser Tweedale]

Please review the attached patches which fix
https://fedorahosted.org/pki/ticket/2588, a bug in profile
modification where config params can only be added or changed, but
not removed.

Thanks,
Fraser
From 0a86f63cfe2d5391befe401541e9dcc0dae6ce29 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 7 Feb 2017 17:27:06 +1000
Subject: [PATCH 159/161] LDAPProfileSubsystem: avoid duplicating logic in
 superclass

Part of: https://fedorahosted.org/pki/ticket/2588
---
 .../cmscore/profile/AbstractProfileSubsystem.java  |  7 +++-
 .../cmscore/profile/LDAPProfileSubsystem.java  | 43 --
 2 files changed, 13 insertions(+), 37 deletions(-)

diff --git 
a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
 
b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
index 
116b8e2026e80b012fb87647fd8924b567194fa3..2a209ad5b2656d65db57d36b7ecb2745527ab081
 100644
--- 
a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
+++ 
b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
@@ -121,7 +121,7 @@ public abstract class AbstractProfileSubsystem implements 
IProfileSubsystem {
 /**
  * Commits a profile.
  */
-public void commitProfile(String id)
+public synchronized void commitProfile(String id)
 throws EProfileException {
 IConfigStore cs = mProfiles.get(id).getConfigStore();
 
@@ -157,6 +157,11 @@ public abstract class AbstractProfileSubsystem implements 
IProfileSubsystem {
 
 // finally commit the configStore
 //
+commitConfigStore(id, cs);
+}
+
+protected void commitConfigStore(String id, IConfigStore cs)
+throws EProfileException {
 try {
 cs.commit(false);
 } catch (EBaseException e) {
diff --git 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
 
b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
index 
fff8ead3f2088aedaf5856c308dd33be90af7779..bce675e7bf993d97a086fb830e34d5c4f396
 100644
--- 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+++ 
b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
@@ -303,43 +303,14 @@ public class LDAPProfileSubsystem
 readProfile(entry);
 }
 
+/**
+ * Commit the configStore and track the resulting
+ * entryUSN and (in case of add) the nsUniqueId
+ */
 @Override
-public synchronized void commitProfile(String id) throws EProfileException 
{
-LDAPConfigStore cs = (LDAPConfigStore) 
mProfiles.get(id).getConfigStore();
-
-// first create a *new* profile object from the configStore
-// and initialise it with the updated configStore
-//
-IPluginRegistry registry = (IPluginRegistry)
-CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
-String classId = mProfileClassIds.get(id);
-IPluginInfo info = registry.getPluginInfo("profile", classId);
-String className = info.getClassName();
-IProfile newProfile = null;
-try {
-newProfile = (IProfile) Class.forName(className).newInstance();
-} catch (ClassNotFoundException | InstantiationException | 
IllegalAccessException e) {
-throw new EProfileException("Could not instantiate class '"
-+ classId + "' for profile '" + id + "': " + e);
-}
-newProfile.setId(id);
-try {
-newProfile.init(this, cs);
-} catch (EBaseException e) {
-throw new EProfileException(
-"Failed to initialise profile '" + id + "': " + e);
-}
-
-// next replace the existing profile with the new profile;
-// this is to avoid any intermediate state where the profile
-// is not fully initialised with its inputs, outputs and
-// policy objects.
-//
-mProfiles.put(id, newProfile);
-
-// finally commit the configStore and track the resulting
-// entryUSN and (in case of add) the nsUniqueId
-//
+protected void commitConfigStore(String id, IConfigStore configStore)
+throws EProfileException {
+LDAPConfigStore cs = (LDAPConfigStore) configStore;
 try {
 String[] attrs = {"entryUSN", "nsUniqueId"};
 LDAPEntry entry = cs.commitReturn(false, attrs);
-- 
2.9.3

From ca09f58f4a953fb8d40898a1924f236bba42fa29 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 7 Feb 2017 17:39:33 +1000
Subject: [PATCH 160/161] ISourceConfigStore: add clear() method to interface

The SourceConfigStore load() method does not clear the config store,
but this might be necessary to avoid stale data if wanting 

Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

[Fraser Tweedale]

On Wed, Feb 01, 2017 at 05:25:58PM +1000, Fraser Tweedale wrote:
> Hi all,
> 
> The attached patches implement the long-desired feature to copy CN
> to SubjectAltName (https://fedorahosted.org/pki/ticket/1710).
> 
> I've also pushed the branch to my GitHub repo; feel free to review
> the patches there:
> https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san
> 
> Thanks,
> Fraser

ACKed by mharmsen and batkisso.

Pushed to master with following trivial changes:

- fix a missing import in upgrade scriptlet
- break upgrade scriptlet into separate patch, for easy exclusion
  or modification when backporting

* 31dfbb569756e8c28500b597ac4486f780761c4c Add upgrade script to add 
CommonNameToSANDefault plugin
* 9cb00049ec731cca36de822f6c1e834f7febcb4f Add profile component that copies CN 
to SAN dNSName
* 979b6a2da433e97c1ada6434b432aa4aabc47ab5 X500Name: add method to get all 
attributes of a given type
* a67816eebbed2332327fbf391f3e23223ee7690e SubjectAlternativeNameExtension: add 
GeneralNames getter/setter
* 225dd099efa7e2f752c3f50157aaec71a9834873 GeneralName: add method to get at 
inner value
* f371114134ee3b6a83b747eecf46e001080b1e9c DNSName: add method to get value

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0151..0155 Add profile component that copies CN to SAN

[Fraser Tweedale]

Discussion for devs: once this is merged should I updated all the
included service-oriented profiles (e.g. caCAcert; not user or CA
cert profiles) to add this profile component?

IMO we should do it, but we should not automatically update existing
installations.  Instead, we (I) can produce a KBase article about
using the new component.

Let me know what you think.

Cheers,
Fraser

On Thu, Feb 02, 2017 at 12:46:30PM -0700, Matthew Harmsen wrote:
> On 02/01/2017 12:25 AM, Fraser Tweedale wrote:
> > Hi all,
> > 
> > The attached patches implement the long-desired feature to copy CN
> > to SubjectAltName (https://fedorahosted.org/pki/ticket/1710).
> > 
> > I've also pushed the branch to my GitHub repo; feel free to review
> > the patches there:
> > https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san
> > 
> > Thanks,
> > Fraser
> > 
> > 
> > ___
> > Pki-devel mailing list
> > Pki-devel@redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
> 
> Fraser,
> 
> In order to review this patch, I am going to apply it and make a scratch
> build of Dogtag 10.2.6 on RHEL 7.2 so that Red Hat IT can test it out for
> us.
> 
> If they give us their approval, you can consider yourself granted an ACK on
> this patch and check it into master so that I can cherry-pick it into the
> 10.3 branches.
> 
> -- Matt
> 
> P. S. - FYI, the following conversation took place on #cs today:
> 
> dminnich,walrus: ftweedal has released a patch for
>https://fedorahosted.org/pki/ticket/1710 - Add profile component
>that copies CN to SAN -- if I applied that patch to a 10.3.3
>pki-core for RHEL 7.3, could you guys test it out, or in order to
>test it out, do you need a scratch build of Dogtag 10.2.6 on RHEL
>7.2 like last time?
> mharmsen: having a scratch build of 7.2 would be quickest
> we are just now planning the 7.3 upgrade, which will take
>some time to get into dev
> walrus: okay, I can try to see if I can do that, but
>remember that we will not deliver an official RHEL 7.2 build of RHCS 9.1
> yeah we should be on 7.3 in a month or so... a lot of
>things to test on a lot of servers :)
> csnell|wfh: ^^^
> walrus: completely understood! LOL
> mharmsen: that will be a very welcome patch
> mharmsen: do you happen to know if ACLs work against SANs?
> dminnich: not off the top of my head
> edewata, cfu, jmagne: ^^^?
> that is something on our to investigate list as well
> dminnich: I am going to drop an email to ftweedal, and I
>will ask that question
> mharmsen: no idea about SAN
> mharmsen, don't know
> dminnich, mharmsen , what does that mean?
> cfu: right now we allow only people in LDAP group X to
>issue certs for domains that meet Y regex.  but we don't check
>SANs.  so somebody could CN=blah.devlab.com and get approved but add
>a SAN for www.redhat.com and we don't deny it
> dminnich: where is X & Y defined?
>
>
> https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/templates/ca/profiles/ca/caDirServerCert-pnt-devops-domains.cfg#n12
>
> https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/templates/ca/profiles/ca/caDirServerCert-pnt-devops-domains.cfg#n26
> edewata: ^ some of that might be added by puppet later.but
> thats the gist
> dminnich: ok, it's in profile, not ACL
> authz.acl=group  and constraints
> dminnich, dminnich ah, I see. so it's like a pattern
>constraint just like what we have for subject name now in the
>profile.  Yeah, you can write a constraint plugin for that
> dminnich, anyway, feel free to file a ticket for it.
> cfu: will do
> 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0149 Use BigInteger for entryUSN

[Fraser Tweedale]

The attached patch fixes https://fedorahosted.org/pki/ticket/2579.

Thanks,
Fraser
From 4201b2c02546e4d404816a4932ba2d0d688f2c55 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 23 Jan 2017 17:11:26 +1000
Subject: [PATCH] Use BigInteger for entryUSN

Currently we try to parse the entryUSN into an Integer, which wraps
the 'int' primitive type.  If entryUSN value is too large to fit in
'int', NumberFormatException is raised.

Change LDAPProfileSubsystem and CertificateAuthority to use
BigInteger for entryUSN values.

Fixes: https://fedorahosted.org/pki/ticket/2579
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java   | 12 ++--
 .../com/netscape/cmscore/profile/LDAPProfileSubsystem.java  | 13 +++--
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
92bf64412c0edcf5540830438e6c356dbb4811bc..7ad40a9f6e436d4d3c4c947165a2c7ae18dc960a
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -334,7 +334,7 @@ public class CertificateAuthority
 
 /* Maps and sets of entryUSNs and nsUniqueIds for avoiding race
  * conditions and unnecessary reloads related to replication */
-private static TreeMap<AuthorityID,Integer> entryUSNs = new TreeMap<>();
+private static TreeMap<AuthorityID,BigInteger> entryUSNs = new TreeMap<>();
 private static TreeMap<AuthorityID,String> nsUniqueIds = new TreeMap<>();
 private static TreeSet deletedNsUniqueIds = new TreeSet<>();
 
@@ -2902,7 +2902,7 @@ public class CertificateAuthority
 
 LDAPAttribute attr = entry.getAttribute("entryUSN");
 if (attr != null) {
-Integer entryUSN = new Integer(attr.getStringValueArray()[0]);
+BigInteger entryUSN = new 
BigInteger(attr.getStringValueArray()[0]);
 entryUSNs.put(aid, entryUSN);
 CMS.debug("postCommit: new entryUSN = " + entryUSN);
 }
@@ -3268,7 +3268,7 @@ public class CertificateAuthority
 return;
 }
 
-Integer newEntryUSN = null;
+BigInteger newEntryUSN = null;
 LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
 if (entryUSNAttr == null) {
 CMS.debug("readAuthority: no entryUSN");
@@ -3285,14 +3285,14 @@ public class CertificateAuthority
 // entryUSN attribute being added.
 }
 } else {
-newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]);
+newEntryUSN = new 
BigInteger(entryUSNAttr.getStringValueArray()[0]);
 CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
 }
 
-Integer knownEntryUSN = entryUSNs.get(aid);
+BigInteger knownEntryUSN = entryUSNs.get(aid);
 if (newEntryUSN != null && knownEntryUSN != null) {
 CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN);
-if (newEntryUSN <= knownEntryUSN) {
+if (newEntryUSN.compareTo(knownEntryUSN) <= 0) {
 CMS.debug("readAuthority: data is current");
 return;
 }
diff --git 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
 
b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
index 
213c7a9f19f93ded4c42b6c06768a893a1257f71..fff8ead3f2088aedaf5856c308dd33be90af7779
 100644
--- 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+++ 
b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
@@ -19,6 +19,7 @@ package com.netscape.cmscore.profile;
 
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
+import java.math.BigInteger;
 import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.Hashtable;
@@ -65,7 +66,7 @@ public class LDAPProfileSubsystem
 
 /* Map of profileId -> entryUSN for the most recent view
  * of the profile entry that this instance has seen */
-private TreeMap<String,Integer> entryUSNs;
+private TreeMap<String,BigInteger> entryUSNs;
 
 private TreeMap<String,String> nsUniqueIds;
 
@@ -168,14 +169,14 @@ public class LDAPProfileSubsystem
 }
 profileId = LDAPDN.explodeDN(dn, true)[0];
 
-Integer newEntryUSN = new Integer(
+BigInteger newEntryUSN = new BigInteger(
 ldapProfile.getAttribute("entryUSN").getStringValueArray()[0]);
 CMS.debug("readProfile: new entryUSN = " + newEntryUSN);
 
-Integer knownEntryUSN = entryUSNs.get(profileId);
+BigInteger knownEntryUSN = entryUSNs.get(profileId);
 if (knownEntryUSN != null) {

[Pki-devel] [PATCH] 0163..0165 Include revocation reason in REST cert data

[Fraser Tweedale]

The following patches add the revocation reason to the REST cert
data (i.e. GET /ca/rest/certs/{id}).

Patches 0163 and 0164 were pushed under trivial rule.

Please review 0165.

Thanks,
Fraser
From f50507eac86edba2fba01ff25d6937f7d991770e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 22 Feb 2017 10:39:02 +1000
Subject: [PATCH 163/165] Remove unused import

Part of: https://fedorahosted.org/pki/ticket/2601
---
 base/server/cmscore/src/com/netscape/cmscore/dbs/RevocationInfo.java | 1 -
 1 file changed, 1 deletion(-)

diff --git 
a/base/server/cmscore/src/com/netscape/cmscore/dbs/RevocationInfo.java 
b/base/server/cmscore/src/com/netscape/cmscore/dbs/RevocationInfo.java
index 
36f470511ae1ec0ea31d1997a76f6e4655eb1b2b..2cc9acb583266c19bee7fbad43962d35785aaf45
 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/RevocationInfo.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/RevocationInfo.java
@@ -21,7 +21,6 @@ import java.io.Serializable;
 import java.util.Date;
 
 import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLReasonExtension;
 
 import com.netscape.certsrv.dbs.certdb.IRevocationInfo;
 
-- 
2.9.3

From dd77a7d4e199d7678176398324957c2d45e28205 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 22 Feb 2017 10:45:15 +1000
Subject: [PATCH 164/165] Refactor CertRetrievalRequest construction

Remove an unused constructor from CertRetrievalRequest, and add a
constructor that receives the CertId, simplifying usage.

Part of: https://fedorahosted.org/pki/ticket/2601
---
 base/ca/src/org/dogtagpki/server/ca/rest/CertService.java |  3 +--
 .../com/netscape/certsrv/cert/CertRetrievalRequest.java   | 15 ++-
 2 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
index 
54a349e2a60c6fd7571c2cb43a0504d96050c11a..2f9f467294322428620e2dc800618cde59faf28d
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
@@ -136,8 +136,7 @@ public class CertService extends PKIService implements 
CertResource {
 throw new BadRequestException("Unable to get certificate: Invalid 
id.");
 }
 
-CertRetrievalRequest data = new CertRetrievalRequest();
-data.setCertId(id);
+CertRetrievalRequest data = new CertRetrievalRequest(id);
 
 CertData certData = null;
 
diff --git 
a/base/common/src/com/netscape/certsrv/cert/CertRetrievalRequest.java 
b/base/common/src/com/netscape/certsrv/cert/CertRetrievalRequest.java
index 
ac8ea079ac468ed7d819f1ce68e494882b5a86d6..7e653d7111202a0583dd8de93411e73bf111ede5
 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertRetrievalRequest.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertRetrievalRequest.java
@@ -41,8 +41,6 @@ import com.netscape.certsrv.request.RequestIdAdapter;
 @XmlAccessorType(XmlAccessType.FIELD)
 public class CertRetrievalRequest {
 
-private static final String CERT_ID = "certId";
-
 @XmlElement
 @XmlJavaTypeAdapter(CertIdAdapter.class)
 protected CertId certId;
@@ -55,10 +53,8 @@ public class CertRetrievalRequest {
 // required for JAXB (defaults)
 }
 
-public CertRetrievalRequest(MultivaluedMap<String, String> form) {
-if (form.containsKey(CERT_ID)) {
-certId = new CertId(form.getFirst(CERT_ID));
-}
+public CertRetrievalRequest(CertId certId) {
+this.certId = certId;
 }
 
 /**
@@ -68,11 +64,4 @@ public class CertRetrievalRequest {
 return certId;
 }
 
-/**
- * @param CertId the CertId to set
- */
-public void setCertId(CertId certId) {
-this.certId = certId;
-}
-
 }
-- 
2.9.3

From 1ee1d50819811d364778add187026d4069b8ab68 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 22 Feb 2017 11:26:43 +1000
Subject: [PATCH 165/165] Include revocation reason in REST cert data

Fixes: https://fedorahosted.org/pki/ticket/2601
---
 .../src/org/dogtagpki/server/ca/rest/CertService.java  | 18 ++
 .../common/src/com/netscape/certsrv/cert/CertData.java | 10 ++
 2 files changed, 28 insertions(+)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
index 
2f9f467294322428620e2dc800618cde59faf28d..ebbab25728b0df2b9f64e7042a1e8002aebcdce2
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
@@ -64,6 +64,7 @@ import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.dbs.certdb.ICertRecordList;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com

[Pki-devel] [PATCH] 0162 Fix NPE in server shutdown when startup failed

[Fraser Tweedale]

The attached patch fixes an NPE that can occur if startup fails
(e.g. due to database unavailable).

Pushed under trivial rule.

Thanks,
Fraser
From aa9bca02d0469e16a93812564bf44369c30002da Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 20 Feb 2017 11:08:50 +1000
Subject: [PATCH] Fix NPE in server shutdown when startup failed

If server startup fails, the shutdown() routine tries to shut down
the logger instance, which may not have been initialised.  This
raises a NullPointerException which can mask the original exception.

Only attempt to shut down the logger instance if it is non-null.
---
 .../cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java 
b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
index 
d7d7a3a8974b0810f110aefe6823513a396288c1..4ddb42c67506c727bb52fdc6092a383f87ad22bb
 100644
--- 
a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+++ 
b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
@@ -1883,7 +1883,8 @@ public class SelfTestSubsystem
 instance.shutdownSelfTest();
 }
 
-mLogger.shutdown();
+if (mLogger != null)
+mLogger.shutdown();
 }
 
 /**
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0150 Allow DirAclAuthz to be configured to read alternative entry

[Fraser Tweedale]

On Tue, Jan 24, 2017 at 02:45:48PM +1000, Fraser Tweedale wrote:
> The attached patch (part of the GSS-API effort) allows DirAclAuthz
> configuration to specify to read the ACLs from a different entry (it
> is currently hard-coded).
> 
> Thanks,
> Fraser
>
ACKed by alee; pushed to master:
76266bbf9b48f0ff01e7bfc9cd114c7ced460256

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0166 CMS.getLogMessage: escape format elements in arguments

[Fraser Tweedale]

Hi team,

Please review attached patch that fixes an issue in CMS message
formatting: if one of the message arguments contains '{' or '}', in
subsequent logging this is interpreted as a FormatElement and
parsing fails.

Thanks,
Fraser
From 45c90767ff697209c4e46581f796807c0093f527 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 2 Mar 2017 16:32:21 +1000
Subject: [PATCH] CMS.getLogMessage: escape format elements in arguments

CMS.getLogMessage performs message formatting via MessageFormat,
then the message gets logged via a Logger.  The Logger also performs
message formatting via MessageFormat.  If the formatted log message
contains '{' or '}' (e.g. if it contains JSON) the MessageFormat
implementation interprets these as FormatElement delimiters and
parsing fails.

Update CMS.getLogMessage() to scan arguments for unsafe characters
and if found, escape the whole message so that subsequent logging
will succeed.

Part of: https://pagure.io/dogtagpki/issue/1359
---
 .../cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java 
b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index 
90ee8b90a4841ee79970c9b857b95468d7ecd2ec..31ec53f8aaeda818bf174111f115cf611267897c
 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1592,7 +1592,21 @@ public class CMSEngine implements ICMSEngine {
 return msg;
 MessageFormat mf = new MessageFormat(msg);
 
-return mf.format(params);
+String escapedParams[] = new String[params.length];
+for (int i = 0; i < params.length; i++)
+escapedParams[i] = escapeLogMessageParam(params[i]);
+
+return mf.format(escapedParams);
+}
+
+/** Quote a string for inclusion in a java.text.MessageFormat
+ */
+private String escapeLogMessageParam(String s) {
+if (s == null)
+return null;
+if (s.contains("{") || s.contains("}"))
+return "'" + s.replaceAll("'", "''") + "'";
+return s;
 }
 
 public void debug(byte data[]) {
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0134 Block reads during reload of LDAP-based profiles

[Fraser Tweedale]

Hi team,

The attached patch fixes (yet another) race condition in
LDAPProfileSubsystem.

https://fedorahosted.org/pki/ticket/2453

Additional context: https://fedorahosted.org/freeipa/ticket/6274

Thanks,
Fraser
From 24a5ad6f84387055468e0125df90fea6635da484 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 14 Sep 2016 19:39:36 +1000
Subject: [PATCH] Block reads during reload of LDAP-based profiles

LDAP disconnect (e.g. due to DS restart) causes LDAPProfileSubsystem
to drop all its profiles and reload them.  If a profile is read
during this time, e.g. to issue a certificate, it might not have
been reloaded thus causing the operation to fail.

Introduce the AsyncLoader class which allows a consumer to await the
completion of a (re)load, if one is happening.  Update the
getProfile and getProfileIds method to use it.

The existing 'initialLoadDone' CountDownLatch for blocking
LDAPProfileSubsystem init until the inital load of profiles is
completed was subsumed by AsyncLoader.

Fixes: https://fedorahosted.org/pki/ticket/2453
---
 .../src/com/netscape/certsrv/util/AsyncLoader.java | 86 ++
 .../cmscore/profile/LDAPProfileSubsystem.java  | 59 ++-
 2 files changed, 127 insertions(+), 18 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/util/AsyncLoader.java

diff --git a/base/common/src/com/netscape/certsrv/util/AsyncLoader.java 
b/base/common/src/com/netscape/certsrv/util/AsyncLoader.java
new file mode 100644
index 
..39f8efd3272607ed6ac219b1b42bf9a4cb076a80
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/util/AsyncLoader.java
@@ -0,0 +1,86 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2016  Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.util;
+
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.locks.ReentrantLock;
+
+/** A locking mechanism for loading or reloading an initially
+ * unknown number of items.
+ *
+ * The "producer" is the thread that loads items, informing the
+ * Loader when each item is loaded and how many items there are
+ * (when that fact becomes known).
+ *
+ * Other threads can await the completion of a (re)loading
+ * process.
+ */
+public class AsyncLoader {
+private CountDownLatch producerInitialised = new CountDownLatch(1);
+private ReentrantLock loadingLock = new ReentrantLock();
+private Integer numItems = null;
+private int numItemsLoaded = 0;
+
+/**
+ * Acquire the lock as a producer.
+ */
+public void startLoading() {
+numItems = null;
+numItemsLoaded = 0;
+loadingLock.lock();
+producerInitialised.countDown();
+}
+
+/**
+ * Increment the number of items loaded by 1.  If the number
+ * of items is known and that many items have been loaded,
+ * unlock the loader.
+ */
+public void increment() {
+numItemsLoaded += 1;
+checkLoadDone();
+}
+
+/**
+ * Set the number of items.  If the number of items already
+ * loaded is equal to or greater than the number, unlock the
+ * loader.
+ */
+public void setNumItems(Integer n) {
+numItems = n;
+checkLoadDone();
+}
+
+private void checkLoadDone() {
+if (numItems != null && numItemsLoaded >= numItems) {
+while (loadingLock.isHeldByCurrentThread())
+loadingLock.unlock();
+}
+}
+
+public void awaitLoadDone() throws InterruptedException {
+/* A consumer may await upon the Loader immediately after
+ * starting the producer.  To ensure that the producer
+ * has time to acquire the lock, we use a CountDownLatch.
+ */
+producerInitialised.await();
+loadingLock.lock();
+loadingLock.unlock();
+}
+}
diff --git 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
 
b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
index 
6dea1a0d88beaefeea489ea58ad9ad13d2da8bd7..fd5aa64eed8385ad18a307b6addaee6222d9f9cf
 100644
--- 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+++ 
b/base/server/cmsco

Re: [Pki-devel] [PATCH] 0134 Block reads during reload of LDAP-based profiles

[Fraser Tweedale]

On Wed, Sep 14, 2016 at 07:16:32PM -0500, Endi Sukma Dewata wrote:
> On 9/14/2016 7:14 AM, Fraser Tweedale wrote:
> > Hi team,
> > 
> > The attached patch fixes (yet another) race condition in
> > LDAPProfileSubsystem.
> > 
> > https://fedorahosted.org/pki/ticket/2453
> > 
> > Additional context: https://fedorahosted.org/freeipa/ticket/6274
> > 
> > Thanks,
> > Fraser
> 
> The patch looks fine, but probably it can be simplified like this:
> 
> class LDAPProfileSubsystem {
> 
> void init() {
> 
> // load initial profiles
> repository = new LDAPProfileRepository();
> repository.load();
> 
> // monitor profile changes in the background
> monitor = new Thread(repository);
> monitor.start();
> }
> 
> IProfile getProfile(id) {
> return repository.getProfile(id);
> }
> }
> 
> class LDAPProfileRepository {
> 
> LinkedHashMap profiles = ...
> 
> void synchronized load() {
> 
> // create persistent search
> conn = dbFactory.getConn();
> results = conn.search(...);
> 
> // get number of profiles
> entry = results.next();
> numProfiles = entry.getAttribute("numSubordinates");
> 
> for (i=0; i<numProfiles; i++) {
> // read profile
> entry = results.next();
> readProfile(entry);
> }
> }
> 
> void synchronized readProfile() {
> ...
> }
> 
> IProfile synchronized getProfile(id) {
> return profiles.get(id);
> }
> 
> void run() {
> 
> while (true) {
> try {
> // process profile changes
> while (results.hasMoreElements()) {
> entry = results.next();
> ...
> }
> } catch (...) {
> // reconnect
> load();
> }
> }
> }
> }
> 
> So the load() will block during initialization and will also block readers
> during reload after reconnect. We probably can replace "synchronized" with
> ReadWriteLock to allow concurrent readers.
> 
Yep, that's a good approach.

> Feel free to push the patch as is (assuming it's well tested). We can make
> further improvements later on.
> 
> One thing though, I highly suggest that we fix this issue on both Fedora and
> RHEL/CentOS platforms. The patch is non-trivial, so the behavior could be
> different if not applied consistently. Since PKI is developed mainly on
> Fedora but used on different platforms, it would be much easier to
> troubleshoot issues by keeping the behavior consistent across platforms,
> especially on anything related to concurrency.
> 
> We don't need to create new builds for all platforms at the same time, but
> we should at least push this patch to all 10.3 branches so it can be picked
> up in the next 10.3 build of the corresponding platform.
> 
The patch is (at this stage) not destined for 10.3 at all.  I'd
prefer to push it to master to be included in Fedora when 10.4 gets
released, and other platforms' builds whenever they rebase.

I might go ahead and implement your suggested change before merging,
too, although probably as a second patch.

Thanks for reviewing!

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0135 Do not attempt LWCA key retrieval for host authority

[Fraser Tweedale]

Hi team,

Please review the attached patch which fixes a regression in
two-step externally-signed CA installation.  It is destined for 10.3
branch as well as master.

https://fedorahosted.org/pki/ticket/2466

Cheers,
Fraser
From fca5fd053434d112998c814bc6d9424b6a5bac98 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 21 Sep 2016 20:18:37 +1000
Subject: [PATCH] Do not attempt LWCA key retrieval for host authority

During two-step installation of externally-signed CA, installation
can fail because host authority's private key cannot be located (a
temporary condition), causing LWCA key replication to fire, which
throws NullPointerException because the host authority's AuthorityID
has not been set yet.

Do not start key retrieval if the CA's AuthorityID is null (a
condition which implies that the CA is the host authority).

Fixes: https://fedorahosted.org/pki/ticket/2466
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
1f77fd81fc850af9996329dbec7d6a973ba62942..a4f102435ae7a1f2ab1e27814a52b5689639d0f7
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -1569,7 +1569,12 @@ public class CertificateAuthority
 CMS.debug("CA signing key and cert not (yet) present in 
NSSDB");
 signingUnitException = e;
 if (retrieveKeys == true) {
-if (!keyRetrieverThreads.containsKey(authorityID)) {
+if (authorityID == null) {
+// Only the host authority should ever see a
+// null authorityID, e.g. during two-step
+// installation of externally-signed CA.
+CMS.debug("null authorityID -> host authority; not 
starting KeyRetriever");
+} else if (!keyRetrieverThreads.containsKey(authorityID)) {
 CMS.debug("Starting KeyRetrieverRunner thread");
 Thread t = new Thread(
 new KeyRetrieverRunner(authorityID, mNickname, 
authorityKeyHosts),
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0130 Prevent deletion of host CA cert and key from NSSDB

[Fraser Tweedale]

Hi,

Attached patch fixes https://fedorahosted.org/pki/ticket/2443.

Thanks,
Fraser
From e0a546113b65d57e4b00b495f4ef50616ad744c1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 24 Aug 2016 14:40:46 +1000
Subject: [PATCH] Prevent deletion of host CA cert and key from NSSDB

If authorityMonitor observes the deletion of the host CA's authority
entry, it will treat it the same as any other lightweight CA and
delete the signing cert AND KEY from the NSSDB. Because the database
is replicated, the change would be observed and deletion immediately
effected on all running clones.  Unless the main CA private key is
backed up somewhere there is no way to recover from this.

Although this scenario does not arise in normal operation, the
impact is severe so add a check that prevents cert and key deletion
for host authority.

Fixes: https://fedorahosted.org/pki/ticket/2443
---
 base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java 
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index 
a5397da0c0dcea654a15f16e5becc5c430a1bb29..6276100a079ff32757bf2de8540f6e6efa1d1cae
 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -2991,6 +2991,13 @@ public class CertificateAuthority
 /** Delete keys and certs of this authority from NSSDB.
  */
 private void deleteAuthorityNSSDB() throws ECAException {
+if (isHostAuthority()) {
+String msg = "Attempt to delete host authority signing key; not 
proceeding";
+log(ILogger.LL_WARN, msg);
+CMS.debug(msg);
+return;
+}
+
 CryptoManager cryptoManager;
 try {
 cryptoManager = CryptoManager.getInstance();
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0139 Merge duplicate authz plugin code into superclass

[Fraser Tweedale]

The attached patch merges some duplicate authz manager code into the
existing AAclAuthz superclass.

It simplifies things if we end up adding a new authz manager as part
of external authentication / GSS-API support.  But it's a nice
refactor to do anyway :)

Thanks,
Fraser
From afc5fc3da5f1ea61305fb237e002bbe8b3d26e8c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 25 Nov 2016 14:29:40 +1000
Subject: [PATCH 139/141] Merge duplicate authz plugin code into superclass

DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is
still a lot of duplicate code.  Push the duplicated bits up into the
AAclAuthz.

Also remove abstract method flushResourceACLs() from AAclAuthz, and
its implementation from BasicAclAuthz, because it is only
implemented (meaningfully) by DirAclAuthz.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../com/netscape/cms/authorization/AAclAuthz.java  |  93 ++---
 .../netscape/cms/authorization/BasicAclAuthz.java  | 144 +
 .../netscape/cms/authorization/DirAclAuthz.java| 105 +--
 3 files changed, 78 insertions(+), 264 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java 
b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
index 
b3e447cfca49951fe78f6b4896652921ffc43406..f95c98174a06dba9ebf3e43238e566be2e6b5594
 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -30,6 +30,9 @@ import com.netscape.certsrv.acls.IACL;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzInternalError;
+import com.netscape.certsrv.authorization.IAuthzManager;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.evaluators.IAccessEvaluator;
@@ -61,7 +64,7 @@ import com.netscape.cmsutil.util.Utils;
  * @version $Revision$, $Date$
  * @see http://developer.netscape.com/library/documentation/enterprise/admnunix/aclfiles.htm;>ACL
 Files
  */
-public abstract class AAclAuthz {
+public abstract class AAclAuthz implements IAuthzManager {
 
 protected static final String PROP_CLASS = "class";
 protected static final String PROP_IMPL = "impl";
@@ -69,6 +72,12 @@ public abstract class AAclAuthz {
 
 protected static final String ACLS_ATTR = "aclResources";
 
+/* name of this authorization manager instance */
+private String mName = null;
+
+/* name of the authorization manager plugin */
+private String mImplName = null;
+
 private IConfigStore mConfig = null;
 
 private Hashtable<String, ACL> mACLs = new Hashtable<String, ACL>();
@@ -93,14 +102,14 @@ public abstract class AAclAuthz {
 /**
  * Initializes
  */
-protected void init(IConfigStore config)
+public void init(String name, String implName, IConfigStore config)
 throws EBaseException {
-
+mName = name;
+mImplName = implName;
+mConfig = config;
 mLogger = CMS.getLogger();
 CMS.debug("AAclAuthz: init begins");
 
-mConfig = config;
-
 // load access evaluators specified in the config file
 IConfigStore mainConfig = CMS.getConfigStore();
 IConfigStore evalConfig = mainConfig.getSubStore(PROP_EVAL);
@@ -144,6 +153,20 @@ public abstract class AAclAuthz {
 }
 
 /**
+ * gets the name of this authorization manager instance
+ */
+public String getName() {
+return mName;
+}
+
+/**
+ * gets the plugin name of this authorization manager.
+ */
+public String getImplName() {
+return mImplName;
+}
+
+/**
  * Parse ACL resource attributes, then update the ACLs memory store
  * This is intended to be used if storing ACLs on ldap is not desired,
  * and the caller is expected to call this method to add resource
@@ -818,7 +841,7 @@ public abstract class AAclAuthz {
 }
 }
 
-private void log(int level, String msg) {
+protected void log(int level, String msg) {
 if (mLogger == null)
 return;
 mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION,
@@ -830,24 +853,58 @@ public abstract class AAclAuthz {
  **/
 
 /**
- * update acls. called after memory upate is done to flush to permanent
- * storage.
- * 
- */
-protected abstract void flushResourceACLs() throws EACLsException;
-
-/**
- * an abstract class that enforces implementation of the
- * authorize() method that will authorize an operation on a
- * particular resource
+ * check the authorization permissio

[Pki-devel] [PATCH] 0137 Remove unused member

[Fraser Tweedale]

Just a drive-by removal of an unused class member.  Pushed under
one-liner rule.

Thanks,
Fraser
From e613f485e9ed08b9b5e6b2ad568a0953b742b0e5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 28 Nov 2016 14:52:11 +1000
Subject: [PATCH] Remove unused member

---
 base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java | 1 -
 1 file changed, 1 deletion(-)

diff --git 
a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java 
b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
index 
ea5108445356e848ecb9520c7147a75181c11c51..ff97bfa6ce395fcf70ff9e39b0cd47f9416e2493
 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
@@ -89,7 +89,6 @@ public abstract class BasicProfile implements IProfile {
 protected Vector mOutputIds = new Vector();
 protected Hashtable<String, IProfileUpdater> mUpdaters = new 
Hashtable<String, IProfileUpdater>();
 protected Vector mUpdaterIds = new Vector();
-protected IProfileAuthenticator mAuthenticator = null;
 protected String mAuthInstanceId = null;
 protected String mId = null;
 protected String mAuthzAcl = "";
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0138 Move AuthToken key constants to IAuthToken

[Fraser Tweedale]

The attached patch moves some string constants from AuthToken to
IAuthToken.  External authentication support will bring a new
implementation of IAuthToken so moving these to the interface
simplifies things.

Thanks,
Fraser
From 8118f83cc7691e48c63111a050540c9180fd29e5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Tue, 29 Nov 2016 16:10:58 +1000
Subject: [PATCH 138/141] Move AuthToken key constants to IAuthToken

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../netscape/certsrv/authentication/AuthToken.java | 34 --
 .../certsrv/authentication/IAuthToken.java | 34 ++
 2 files changed, 34 insertions(+), 34 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java 
b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
index 
0febf87727d2ebde9dbcacbd5059f9b9afa13701..53959b131f2d9a99e6b9b65640f8546e84468c66
 100644
--- a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
@@ -51,40 +51,6 @@ import com.netscape.certsrv.usrgrp.Certificates;
 public class AuthToken implements IAuthToken {
 protected Hashtable<String, Object> mAttrs = null;
 
-/* Subject name of the certificate in the authenticating entry */
-public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
-
-/* NotBefore value of the certificate in the authenticating entry */
-public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
-
-/* NotAfter value of the certificate in the authenticating entry */
-public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter";
-
-/* Cert Extentions value of the certificate in the authenticating entry */
-public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts";
-
-/* Serial number of the certificate in the authenticating entry */
-public static final String TOKEN_CERT_SERIALNUM = "certSerial";
-
-/**
- * Certificate to be renewed
- */
-public static final String TOKEN_CERT = "tokenCert";
-
-/* Certificate to be revoked */
-public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke";
-
-/**
- * Name of the authentication manager that created the AuthToken
- * as a string.
- */
-public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName";
-
-/**
- * Time of authentication as a java.util.Date
- */
-public static final String TOKEN_AUTHTIME = "authTime";
-
 /**
  * Constructs an instance of a authentication token.
  * The token by default contains the following attributes: 
diff --git 
a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java 
b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
index 
a71432446edcf6b5d838f1115df16b26acd01dce..a3f240e9c35987462eb2f176de650a769df1005c
 100644
--- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
@@ -41,6 +41,40 @@ public interface IAuthToken {
 public static final String UID = "uid";
 public static final String GROUPS = "groups";
 
+/* Subject name of the certificate in the authenticating entry */
+public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
+
+/* NotBefore value of the certificate in the authenticating entry */
+public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
+
+/* NotAfter value of the certificate in the authenticating entry */
+public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter";
+
+/* Cert Extentions value of the certificate in the authenticating entry */
+public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts";
+
+/* Serial number of the certificate in the authenticating entry */
+public static final String TOKEN_CERT_SERIALNUM = "certSerial";
+
+/**
+ * Certificate to be renewed
+ */
+public static final String TOKEN_CERT = "tokenCert";
+
+/* Certificate to be revoked */
+public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke";
+
+/**
+ * Name of the authentication manager that created the AuthToken
+ * as a string.
+ */
+public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName";
+
+/**
+ * Time of authentication as a java.util.Date
+ */
+public static final String TOKEN_AUTHTIME = "authTime";
+
 /**
  * Sets an attribute value within this AttrSet.
  *
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0141 Add getAuthzManagerNameByRealm to IAuthzSubsystem

[Fraser Tweedale]

This patch renames (a better name) and moves to the IAuthzSubsystem
interface a method in AuthzSubsystem that may be useful for doing
authorisation checks for external principals.

Thanks,
Fraser
From 6a1ddf4cf79e40ff0a0702e063afa6e6237f0fb6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Fri, 25 Nov 2016 21:08:56 +1000
Subject: [PATCH 141/141] Add getAuthzManagerNameByRealm to IAuthzSubsystem

The getAuthzManagerByRealm public method is defined in
AuthzSubsystem but to support external principals we want to make
this part of the IAuthzSubsystem interface, so other classes (e.g.
ACLInterceptor) can use it.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../netscape/certsrv/authorization/IAuthzSubsystem.java  |  9 +
 .../netscape/cmscore/authorization/AuthzSubsystem.java   | 16 +---
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git 
a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java 
b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
index 
c7d8df56bbfb1bf8af6c51ce491fc1384560b4a8..6fcf8e7b03eb596bb7914912474eeb3c298b6da1
 100644
--- a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
+++ b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
@@ -21,6 +21,7 @@ import java.util.Enumeration;
 import java.util.Hashtable;
 
 import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.ISubsystem;
 
@@ -181,4 +182,12 @@ public interface IAuthzSubsystem extends ISubsystem {
  * @return an authorization manager interface
  */
 public IAuthzManager get(String name);
+
+/**
+ * Given a realm name, return the name of an authz manager for that realm.
+ *
+ * @throws EAuthzUnknownRealm if no authz manager is found.
+ */
+public String getAuthzManagerNameByRealm(String realm)
+throws EAuthzUnknownRealm;
 }
diff --git 
a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
 
b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
index 
31d5e71b4bdd672fa3eae3108824480d87eafdf3..67d12bdff2e716bcea4034726d189a23c6f50796
 100644
--- 
a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
+++ 
b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
@@ -495,10 +495,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
 // if record owner == requester, SUCCESS
 if ((owner != null) && 
owner.equals(authToken.getInString(IAuthToken.USER_ID))) return;
 
-String mgrName = getAuthzManagerByRealm(realm);
-if (mgrName == null) {
-throw new EAuthzUnknownRealm("Realm not found");
-}
+String mgrName = getAuthzManagerNameByRealm(realm);
 
 AuthzToken authzToken = authorize(mgrName, authToken, resource, 
operation, realm);
 if (authzToken == null) {
@@ -506,12 +503,17 @@ public class AuthzSubsystem implements IAuthzSubsystem {
 }
 }
 
-public String getAuthzManagerByRealm(String realm) throws EBaseException {
+public String getAuthzManagerNameByRealm(String realm) throws 
EAuthzUnknownRealm {
 for (AuthzManagerProxy proxy : mAuthzMgrInsts.values()) {
 IAuthzManager mgr = proxy.getAuthzManager();
 if (mgr != null) {
 IConfigStore cfg = mgr.getConfigStore();
-String mgrRealmString = cfg.getString(PROP_REALM, null);
+String mgrRealmString = null;
+try {
+mgrRealmString = cfg.getString(PROP_REALM, null);
+} catch (EBaseException e) {
+// never mind
+}
 if (mgrRealmString == null) continue;
 
 List mgrRealms = 
Arrays.asList(mgrRealmString.split(","));
@@ -521,7 +523,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
 }
 }
 }
-return null;
+throw new EAuthzUnknownRealm("Realm not found");
 }
 
 }
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0144..0146 Move IRequest extdata-related constants

[Fraser Tweedale]

Acked by alee:

- 
https://github.com/frasertweedale/pki/commit/9826013dfcab72481f3ad6462e1d2c4692367a02
- 
https://github.com/frasertweedale/pki/commit/59071b422637e6e99dd956eed12c5c26e19c3ffc
- 
https://github.com/frasertweedale/pki/commit/7f1f4a2504280a5b8504b4db5df40eac122c280f

Pushed to master:

- 9c23b02b00b13a834b636e9266ee1ae80506f228 Define "req_authority_id" IRequest 
extdata key in IRequest
- a1b56be53d37561c6e80c2aa7daf1e7ab07518c5 Define "profileId" IRequest extdata 
key in one place
- d699d27c7d7a59cf613380ec2214333ecc96ec23 Define "auth_token" IRequest extdata 
key prefix in one place

Thanks,
Fraser

On Wed, Dec 07, 2016 at 02:39:22PM +1000, Fraser Tweedale wrote:
> The attached patches relocate / redefine some constants that are
> used as keys when setting or getting IRequest extdata attributes.
> 
> In some cases this removes duplicate constants or string literals.
> In other cases it actually defines a new constant.
> In all cases the key now uses a constant defined in IRequest, which
> is the appropriate place.
> 
> This is refactoring work undertaken as part of GSSAPI support.
> 
> Thanks,
> Fraser

> From 31d9026f2be5204dd4742ce00542bc80b614d9b9 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftwee...@redhat.com>
> Date: Wed, 7 Dec 2016 12:25:01 +1000
> Subject: [PATCH 144/146] Define "auth_token" IRequest extdata key prefix in
>  one place
> 
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
>  base/common/src/com/netscape/certsrv/request/IRequest.java   |  4 
>  .../cms/src/com/netscape/cms/servlet/cert/CertProcessor.java |  9 +++--
>  .../src/com/netscape/cms/servlet/processors/CAProcessor.java |  1 -
>  .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 12 
> +++-
>  4 files changed, 18 insertions(+), 8 deletions(-)
> 
> diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java 
> b/base/common/src/com/netscape/certsrv/request/IRequest.java
> index 
> c892dbb1dc5d75d4b44e4e26b584f94717b2457c..f17f560de75e54cb7650ee06d870f3d1491e52ac
>  100644
> --- a/base/common/src/com/netscape/certsrv/request/IRequest.java
> +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java
> @@ -85,6 +85,10 @@ public interface IRequest extends Serializable {
>  // server attributes: attributes generated by server modules.
>  public static final String SERVER_ATTRS = "SERVER_ATTRS";
>  
> +// Sometimes individual IAuthToken fields get set in request
> +// extdata, with key ("auth_token." + field_name).
> +public static final String AUTH_TOKEN_PREFIX = "auth_token";
> +
>  public static final String RESULT = "Result"; // service result.
>  public static final Integer RES_SUCCESS = Integer.valueOf(1); // result 
> value
>  public static final Integer RES_ERROR = Integer.valueOf(2); // result 
> value
> diff --git 
> a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java 
> b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
> index 
> 17b453ab5d82bd7c18612263f01e297a4e9df3da..cb5efa0b0e14274e0c4a9393522ab18071f60fd8
>  100644
> --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
> +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
> @@ -310,12 +310,17 @@ public class CertProcessor extends CAProcessor {
>  String[] tokenVals = 
> authToken.getInStringArray(tokenName);
>  if (tokenVals != null) {
>  for (int i = 0; i < tokenVals.length; i++) {
> -req.setExtData(ARG_AUTH_TOKEN + "." + tokenName 
> + "[" + i + "]", tokenVals[i]);
> +req.setExtData(
> +IRequest.AUTH_TOKEN_PREFIX
> ++ "." + tokenName + "[" + i + "]"
> +, tokenVals[i]);
>  }
>  } else {
>  String tokenVal = authToken.getInString(tokenName);
>  if (tokenVal != null) {
> -req.setExtData(ARG_AUTH_TOKEN + "." + tokenName, 
> tokenVal);
> +req.setExtData(
> +IRequest.AUTH_TOKEN_PREFIX + "." + tokenName,
> +tokenVal);
>  // if RA agent, auto assign the request
>  if (tokenName.equals("uid"))
>  uid = tokenVal;
> diff --git 
> a/base/server/cms/src/com/

[Pki-devel] [PATCH] 0148 Remove principal type assumption from AuthorityService

[Fraser Tweedale]

Reviewed by alee:
https://github.com/frasertweedale/pki/commit/967727ea3104accbf1bd1e05fc676bfef0d9ba6d

Pushed to master (1d706a075f32d7c30a6259be675b8f34ef2a9c99).

Thanks,
Fraser
From 1d706a075f32d7c30a6259be675b8f34ef2a9c99 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 30 Nov 2016 10:06:15 +1000
Subject: [PATCH] Remove principal type assumption from AuthorityService

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../src/org/dogtagpki/server/ca/rest/AuthorityService.java   | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java 
b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 
584ab6e59638beada6c89a1882a176b4743a861d..18542d3794f2f1ba3975c634ee726f6d94ebba5b
 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -36,6 +36,7 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authority.AuthorityData;
 import com.netscape.certsrv.authority.AuthorityResource;
 import com.netscape.certsrv.base.BadRequestDataException;
@@ -46,6 +47,7 @@ import com.netscape.certsrv.base.ForbiddenException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.base.ServiceUnavailableException;
+import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CADisabledException;
 import com.netscape.certsrv.ca.CAEnabledException;
@@ -59,7 +61,6 @@ import com.netscape.certsrv.ca.IssuerUnavailableException;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
 import com.netscape.certsrv.logging.ILogger;
-import com.netscape.cms.realm.PKIPrincipal;
 import com.netscape.cms.servlet.base.PKIService;
 import com.netscape.cmsutil.util.Utils;
 
@@ -191,9 +192,6 @@ public class AuthorityService extends PKIService implements 
AuthorityResource {
 }
 }
 
-PKIPrincipal principal =
-(PKIPrincipal) servletRequest.getUserPrincipal();
-
 Map<String, String> auditParams = new LinkedHashMap<>();
 auditParams.put("dn", data.getDN());
 if (parentAID != null)
@@ -201,10 +199,12 @@ public class AuthorityService extends PKIService 
implements AuthorityResource {
 if (data.getDescription() != null)
 auditParams.put("description", data.getDescription());
 
+IAuthToken authToken = (IAuthToken)
+SessionContext.getContext().get(SessionContext.AUTH_TOKEN);
+
 try {
 ICertificateAuthority subCA = hostCA.createCA(
-principal.getAuthToken(),
-data.getDN(), parentAID, data.getDescription());
+authToken, data.getDN(), parentAID, data.getDescription());
 audit(ILogger.SUCCESS, OpDef.OP_ADD,
 subCA.getAuthorityID().toString(), auditParams);
 return createOKResponse(readAuthorityData(subCA));
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0143 Remove unused string constant

[Fraser Tweedale]

What it says on the tin.  Pushed under one-liner rule.

Thanks,
Fraser
From 01956aedf62f20713ca191c254a20f0b50d8e7af Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 7 Dec 2016 14:23:18 +1000
Subject: [PATCH 143/143] Remove unused string constant

Part of: https://fedorahosted.org/pki/ticket/1359
---
 base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java | 1 -
 1 file changed, 1 deletion(-)

diff --git 
a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java 
b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 
606b6afaa60c48bb6eec2602b86ae1ed68a22d26..bb3cfa84a423fe452ef55fb20e23c03911831690
 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -116,7 +116,6 @@ public class CAProcessor extends Processor {
 public static final String AUTHZ_MGR = "authzMgr";
 public static final String GET_CLIENT_CERT = "getClientCert";
 public static final String ACL_INFO = "ACLinfo";
-public static final String AUTHORITY_ID = "authorityId";
 public static final String PROFILE_SUB_ID = "profileSubId";
 
 public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0144..0146 Move IRequest extdata-related constants

[Fraser Tweedale]

The attached patches relocate / redefine some constants that are
used as keys when setting or getting IRequest extdata attributes.

In some cases this removes duplicate constants or string literals.
In other cases it actually defines a new constant.
In all cases the key now uses a constant defined in IRequest, which
is the appropriate place.

This is refactoring work undertaken as part of GSSAPI support.

Thanks,
Fraser
From 31d9026f2be5204dd4742ce00542bc80b614d9b9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Wed, 7 Dec 2016 12:25:01 +1000
Subject: [PATCH 144/146] Define "auth_token" IRequest extdata key prefix in
 one place

Part of: https://fedorahosted.org/pki/ticket/1359
---
 base/common/src/com/netscape/certsrv/request/IRequest.java   |  4 
 .../cms/src/com/netscape/cms/servlet/cert/CertProcessor.java |  9 +++--
 .../src/com/netscape/cms/servlet/processors/CAProcessor.java |  1 -
 .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 12 +++-
 4 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java 
b/base/common/src/com/netscape/certsrv/request/IRequest.java
index 
c892dbb1dc5d75d4b44e4e26b584f94717b2457c..f17f560de75e54cb7650ee06d870f3d1491e52ac
 100644
--- a/base/common/src/com/netscape/certsrv/request/IRequest.java
+++ b/base/common/src/com/netscape/certsrv/request/IRequest.java
@@ -85,6 +85,10 @@ public interface IRequest extends Serializable {
 // server attributes: attributes generated by server modules.
 public static final String SERVER_ATTRS = "SERVER_ATTRS";
 
+// Sometimes individual IAuthToken fields get set in request
+// extdata, with key ("auth_token." + field_name).
+public static final String AUTH_TOKEN_PREFIX = "auth_token";
+
 public static final String RESULT = "Result"; // service result.
 public static final Integer RES_SUCCESS = Integer.valueOf(1); // result 
value
 public static final Integer RES_ERROR = Integer.valueOf(2); // result value
diff --git 
a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java 
b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
index 
17b453ab5d82bd7c18612263f01e297a4e9df3da..cb5efa0b0e14274e0c4a9393522ab18071f60fd8
 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
@@ -310,12 +310,17 @@ public class CertProcessor extends CAProcessor {
 String[] tokenVals = authToken.getInStringArray(tokenName);
 if (tokenVals != null) {
 for (int i = 0; i < tokenVals.length; i++) {
-req.setExtData(ARG_AUTH_TOKEN + "." + tokenName + 
"[" + i + "]", tokenVals[i]);
+req.setExtData(
+IRequest.AUTH_TOKEN_PREFIX
++ "." + tokenName + "[" + i + "]"
+, tokenVals[i]);
 }
 } else {
 String tokenVal = authToken.getInString(tokenName);
 if (tokenVal != null) {
-req.setExtData(ARG_AUTH_TOKEN + "." + tokenName, 
tokenVal);
+req.setExtData(
+IRequest.AUTH_TOKEN_PREFIX + "." + tokenName,
+tokenVal);
 // if RA agent, auto assign the request
 if (tokenName.equals("uid"))
 uid = tokenVal;
diff --git 
a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java 
b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 
bb3cfa84a423fe452ef55fb20e23c03911831690..ae91f649541db5ce77679844ad7a4fec680e99e9
 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -72,7 +72,6 @@ import netscape.security.x509.X509CertImpl;
 
 public class CAProcessor extends Processor {
 
-public final static String ARG_AUTH_TOKEN = "auth_token";
 public final static String ARG_REQUEST_OWNER = "requestOwner";
 public final static String HDR_LANG = "accept-language";
 public final static String ARG_PROFILE = "profile";
diff --git 
a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
 
b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
index 
f3adc5e85e58e3fb2dbf47984cfeca6797cd569b..6191031905626cc7acb6ccbdc41ff84942baf86f
 100644
--- 
a/base/server/cms/src/com/netscape/cms/servlet/profile/Profil

Re: [Pki-devel] [PATCH] 0138 Move AuthToken key constants to IAuthToken

[Fraser Tweedale]

Acked by alee:
https://github.com/frasertweedale/pki/commit/b775ca19b2c1a3d554aca3134308a71fecd7bdd0

Pushed to master (1407b5f3af27d05970bb42ac2fefe51cb6b01abd)

Thanks,
Fraser

On Tue, Nov 29, 2016 at 07:02:12PM +1000, Fraser Tweedale wrote:
> The attached patch moves some string constants from AuthToken to
> IAuthToken.  External authentication support will bring a new
> implementation of IAuthToken so moving these to the interface
> simplifies things.
> 
> Thanks,
> Fraser

> From 8118f83cc7691e48c63111a050540c9180fd29e5 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftwee...@redhat.com>
> Date: Tue, 29 Nov 2016 16:10:58 +1000
> Subject: [PATCH 138/141] Move AuthToken key constants to IAuthToken
> 
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
>  .../netscape/certsrv/authentication/AuthToken.java | 34 
> --
>  .../certsrv/authentication/IAuthToken.java | 34 
> ++
>  2 files changed, 34 insertions(+), 34 deletions(-)
> 
> diff --git 
> a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java 
> b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
> index 
> 0febf87727d2ebde9dbcacbd5059f9b9afa13701..53959b131f2d9a99e6b9b65640f8546e84468c66
>  100644
> --- a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
> +++ b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
> @@ -51,40 +51,6 @@ import com.netscape.certsrv.usrgrp.Certificates;
>  public class AuthToken implements IAuthToken {
>  protected Hashtable<String, Object> mAttrs = null;
>  
> -/* Subject name of the certificate in the authenticating entry */
> -public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
> -
> -/* NotBefore value of the certificate in the authenticating entry */
> -public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
> -
> -/* NotAfter value of the certificate in the authenticating entry */
> -public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter";
> -
> -/* Cert Extentions value of the certificate in the authenticating entry 
> */
> -public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts";
> -
> -/* Serial number of the certificate in the authenticating entry */
> -public static final String TOKEN_CERT_SERIALNUM = "certSerial";
> -
> -/**
> - * Certificate to be renewed
> - */
> -public static final String TOKEN_CERT = "tokenCert";
> -
> -/* Certificate to be revoked */
> -public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke";
> -
> -/**
> - * Name of the authentication manager that created the AuthToken
> - * as a string.
> - */
> -public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName";
> -
> -/**
> - * Time of authentication as a java.util.Date
> - */
> -public static final String TOKEN_AUTHTIME = "authTime";
> -
>  /**
>   * Constructs an instance of a authentication token.
>   * The token by default contains the following attributes: 
> diff --git 
> a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java 
> b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
> index 
> a71432446edcf6b5d838f1115df16b26acd01dce..a3f240e9c35987462eb2f176de650a769df1005c
>  100644
> --- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
> +++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
> @@ -41,6 +41,40 @@ public interface IAuthToken {
>  public static final String UID = "uid";
>  public static final String GROUPS = "groups";
>  
> +/* Subject name of the certificate in the authenticating entry */
> +public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
> +
> +/* NotBefore value of the certificate in the authenticating entry */
> +public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
> +
> +/* NotAfter value of the certificate in the authenticating entry */
> +public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter";
> +
> +/* Cert Extentions value of the certificate in the authenticating entry 
> */
> +public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts";
> +
> +/* Serial number of the certificate in the authenticating entry */
> +public static final String TOKEN_CERT_SERIALNUM = "certSerial";
> +
> +/**
> + * Certificate to be renewed
> + */
> +public s

Re: [Pki-devel] [PATCH] 0139 Merge duplicate authz plugin code into superclass

[Fraser Tweedale]

Acked by alee:
https://github.com/frasertweedale/pki/commit/2d6e917470fce977d2537eba0b9ef2ee17fd0a41

Pushed to master (bfcf597d569e24fe6ec60062e37908c62bcff76)

On Tue, Nov 29, 2016 at 07:04:26PM +1000, Fraser Tweedale wrote:
> The attached patch merges some duplicate authz manager code into the
> existing AAclAuthz superclass.
> 
> It simplifies things if we end up adding a new authz manager as part
> of external authentication / GSS-API support.  But it's a nice
> refactor to do anyway :)
> 
> Thanks,
> Fraser

> From afc5fc3da5f1ea61305fb237e002bbe8b3d26e8c Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftwee...@redhat.com>
> Date: Fri, 25 Nov 2016 14:29:40 +1000
> Subject: [PATCH 139/141] Merge duplicate authz plugin code into superclass
> 
> DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is
> still a lot of duplicate code.  Push the duplicated bits up into the
> AAclAuthz.
> 
> Also remove abstract method flushResourceACLs() from AAclAuthz, and
> its implementation from BasicAclAuthz, because it is only
> implemented (meaningfully) by DirAclAuthz.
> 
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
>  .../com/netscape/cms/authorization/AAclAuthz.java  |  93 ++---
>  .../netscape/cms/authorization/BasicAclAuthz.java  | 144 
> +
>  .../netscape/cms/authorization/DirAclAuthz.java| 105 +--
>  3 files changed, 78 insertions(+), 264 deletions(-)
> 
> diff --git 
> a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java 
> b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
> index 
> b3e447cfca49951fe78f6b4896652921ffc43406..f95c98174a06dba9ebf3e43238e566be2e6b5594
>  100644
> --- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
> +++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
> @@ -30,6 +30,9 @@ import com.netscape.certsrv.acls.IACL;
>  import com.netscape.certsrv.apps.CMS;
>  import com.netscape.certsrv.authentication.IAuthToken;
>  import com.netscape.certsrv.authorization.AuthzToken;
> +import com.netscape.certsrv.authorization.EAuthzAccessDenied;
> +import com.netscape.certsrv.authorization.EAuthzInternalError;
> +import com.netscape.certsrv.authorization.IAuthzManager;
>  import com.netscape.certsrv.base.EBaseException;
>  import com.netscape.certsrv.base.IConfigStore;
>  import com.netscape.certsrv.evaluators.IAccessEvaluator;
> @@ -61,7 +64,7 @@ import com.netscape.cmsutil.util.Utils;
>   * @version $Revision$, $Date$
>   * @see  HREF="http://developer.netscape.com/library/documentation/enterprise/admnunix/aclfiles.htm;>ACL
>  Files
>   */
> -public abstract class AAclAuthz {
> +public abstract class AAclAuthz implements IAuthzManager {
>  
>  protected static final String PROP_CLASS = "class";
>  protected static final String PROP_IMPL = "impl";
> @@ -69,6 +72,12 @@ public abstract class AAclAuthz {
>  
>  protected static final String ACLS_ATTR = "aclResources";
>  
> +/* name of this authorization manager instance */
> +private String mName = null;
> +
> +/* name of the authorization manager plugin */
> +private String mImplName = null;
> +
>  private IConfigStore mConfig = null;
>  
>  private Hashtable<String, ACL> mACLs = new Hashtable<String, ACL>();
> @@ -93,14 +102,14 @@ public abstract class AAclAuthz {
>  /**
>   * Initializes
>   */
> -protected void init(IConfigStore config)
> +public void init(String name, String implName, IConfigStore config)
>  throws EBaseException {
> -
> +mName = name;
> +mImplName = implName;
> +mConfig = config;
>  mLogger = CMS.getLogger();
>  CMS.debug("AAclAuthz: init begins");
>  
> -mConfig = config;
> -
>  // load access evaluators specified in the config file
>  IConfigStore mainConfig = CMS.getConfigStore();
>  IConfigStore evalConfig = mainConfig.getSubStore(PROP_EVAL);
> @@ -144,6 +153,20 @@ public abstract class AAclAuthz {
>  }
>  
>  /**
> + * gets the name of this authorization manager instance
> + */
> +public String getName() {
> +return mName;
> +}
> +
> +/**
> + * gets the plugin name of this authorization manager.
> + */
> +public String getImplName() {
> +return mImplName;
> +}
> +
> +/**
>   * Parse ACL resource attributes, then update the ACLs memory store
>   * This is intended to be used if storing ACLs on ldap is not desired,
>   * and the caller is expected to

Re: [Pki-devel] [PATCH] 0140 Allow ':' to appear in ACL expressions

[Fraser Tweedale]

Acked by alee:
https://github.com/frasertweedale/pki/commit/037c16e3e78bccfa16e3d50ef840675ad2e0f3ec

Pushed to master (7ab1bbb708d539d4db4e494418fedb952e4880bc)

Thanks,
Fraser

On Tue, Nov 29, 2016 at 07:08:48PM +1000, Fraser Tweedale wrote:
> With current ACL parsing, if you have a ':' in a group name (as
> occurs with FreeIPA permissions, which matter for upcoming external
> principal support) you are stuffed.  This commit fixes that.
> 
> It is really a band aid - the existing parsing code is poor and
> should be replaced with a nice combinatorial parser... but who has
> the time for that right now? ¯\_(ツ)_/¯
> 
> Note that if there is a ':' in any of the ACL descriptions/comments
> (the final field) this change breaks it.  We don't have any
> occurrences of that in our codebase.
> 
> Thanks,
> Fraser

> From 4e13cd0c960558b0f590c5f74ef0b52f0eb667f2 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftwee...@redhat.com>
> Date: Fri, 25 Nov 2016 18:04:22 +1000
> Subject: [PATCH 140/141] Allow ':' to appear in ACL expressions
> 
> Currently if ':' appears in an ACL expression (e.g. a group name, as
> occurs in FreeIPA permissions), the ACL gets parsed incorrectly.
> 
> Look backwards from end of string for the final ':', so that the ACL
> parses correctly.
> 
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
>  base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java 
> b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> index 
> e37ba25e0446108e266a1b068a7ba2a6e60fb769..9b87f6e2437a398ffd6c4956a8e91809918ab8b9
>  100644
> --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> @@ -681,8 +681,10 @@ public class CMSEngine implements ICMSEngine {
>  
>  acl = new ACL(resource, rights, resACLs);
>  
> +// search *backwards* for final instance of ':', to handle case
> +// where acl expressions contain colon, e.g. in a group name.
>  String stx = st.substring(idx2 + 1);
> -int idx3 = stx.indexOf(":");
> +int idx3 = stx.lastIndexOf(":");
>  String aclStr = stx.substring(0, idx3);
>  
>  // getting list of acl entries
> -- 
> 2.7.4
> 

> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0141 Add getAuthzManagerNameByRealm to IAuthzSubsystem

[Fraser Tweedale]

Acked by alee:
https://github.com/frasertweedale/pki/commit/4a43f08a96f80a44ad0d8fffcb49f70b5d274277

Pushed to master (e2e4b70bab9c81b9007057cafd25447190d6cde4).

Thanks,
Fraser

On Tue, Nov 29, 2016 at 07:12:28PM +1000, Fraser Tweedale wrote:
> This patch renames (a better name) and moves to the IAuthzSubsystem
> interface a method in AuthzSubsystem that may be useful for doing
> authorisation checks for external principals.
> 
> Thanks,
> Fraser

> From 6a1ddf4cf79e40ff0a0702e063afa6e6237f0fb6 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftwee...@redhat.com>
> Date: Fri, 25 Nov 2016 21:08:56 +1000
> Subject: [PATCH 141/141] Add getAuthzManagerNameByRealm to IAuthzSubsystem
> 
> The getAuthzManagerByRealm public method is defined in
> AuthzSubsystem but to support external principals we want to make
> this part of the IAuthzSubsystem interface, so other classes (e.g.
> ACLInterceptor) can use it.
> 
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
>  .../netscape/certsrv/authorization/IAuthzSubsystem.java  |  9 +
>  .../netscape/cmscore/authorization/AuthzSubsystem.java   | 16 
> +---
>  2 files changed, 18 insertions(+), 7 deletions(-)
> 
> diff --git 
> a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java 
> b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
> index 
> c7d8df56bbfb1bf8af6c51ce491fc1384560b4a8..6fcf8e7b03eb596bb7914912474eeb3c298b6da1
>  100644
> --- a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
> +++ b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
> @@ -21,6 +21,7 @@ import java.util.Enumeration;
>  import java.util.Hashtable;
>  
>  import com.netscape.certsrv.authentication.IAuthToken;
> +import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
>  import com.netscape.certsrv.base.EBaseException;
>  import com.netscape.certsrv.base.ISubsystem;
>  
> @@ -181,4 +182,12 @@ public interface IAuthzSubsystem extends ISubsystem {
>   * @return an authorization manager interface
>   */
>  public IAuthzManager get(String name);
> +
> +/**
> + * Given a realm name, return the name of an authz manager for that 
> realm.
> + *
> + * @throws EAuthzUnknownRealm if no authz manager is found.
> + */
> +public String getAuthzManagerNameByRealm(String realm)
> +throws EAuthzUnknownRealm;
>  }
> diff --git 
> a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
>  
> b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
> index 
> 31d5e71b4bdd672fa3eae3108824480d87eafdf3..67d12bdff2e716bcea4034726d189a23c6f50796
>  100644
> --- 
> a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
> +++ 
> b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
> @@ -495,10 +495,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
>  // if record owner == requester, SUCCESS
>  if ((owner != null) && 
> owner.equals(authToken.getInString(IAuthToken.USER_ID))) return;
>  
> -String mgrName = getAuthzManagerByRealm(realm);
> -if (mgrName == null) {
> -throw new EAuthzUnknownRealm("Realm not found");
> -}
> +String mgrName = getAuthzManagerNameByRealm(realm);
>  
>  AuthzToken authzToken = authorize(mgrName, authToken, resource, 
> operation, realm);
>  if (authzToken == null) {
> @@ -506,12 +503,17 @@ public class AuthzSubsystem implements IAuthzSubsystem {
>  }
>  }
>  
> -public String getAuthzManagerByRealm(String realm) throws EBaseException 
> {
> +public String getAuthzManagerNameByRealm(String realm) throws 
> EAuthzUnknownRealm {
>  for (AuthzManagerProxy proxy : mAuthzMgrInsts.values()) {
>  IAuthzManager mgr = proxy.getAuthzManager();
>  if (mgr != null) {
>  IConfigStore cfg = mgr.getConfigStore();
> -String mgrRealmString = cfg.getString(PROP_REALM, null);
> +String mgrRealmString = null;
> +try {
> +mgrRealmString = cfg.getString(PROP_REALM, null);
> +} catch (EBaseException e) {
> +// never mind
> +}
>  if (mgrRealmString == null) continue;
>  
>  List mgrRealms = 
> Arrays.asList(mgrRealmString.split(","));
> @@ -521,7 +523,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
>  }
>  }
>  }
> -return null;
> +thr

Re: [Pki-devel] [Pki-users] CS Server error

[Fraser Tweedale]

On Wed, Dec 07, 2016 at 05:29:41PM -0800, Rafael Leiva-Ochoa wrote:
> Here you goI hope you can help. I am already starting to use it in
> production testing...I would hate to start all over...: (
> 
The error in your log is:

[06/Dec/2016:23:28:45][localhost-startStop-1]: AuthSubsystem: initializing 
authentication manager flatFileAuth
Property auths.instance.flatFileAuth.pluginName missing value
at 
com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:258)
at 
com.netscape.cmscore.authentication.AuthSubsystem.init(AuthSubsystem.java:200)
at 
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:582)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
... lots more traceback

This causes a shutdown of the Dogtag application (but not Tomcat
itself, hence it is still able to respond to HTTP requests).

Have you modified anything in /etc/pki/pki-tomcat/ca/CS.cfg
yourself?  If not, perhaps it was an update gone awry, or some other
corruption of CS.cfg.

The `flatFileAuth' properties in CS.cfg should be something like:

auths.instance.flatFileAuth.authAttributes=PWD
auths.instance.flatFileAuth.deferOnFailure=true

auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
auths.instance.flatFileAuth.keyAttributes=UID
auths.instance.flatFileAuth.pluginName=FlatFileAuth

Try fixing that up and seeing if Dogtag starts.  If it does not,
please attach debug log (latter portions thereof) and the CS.cfg.

Thanks,
Fraser


> On Wed, Dec 7, 2016 at 4:25 PM, Fraser Tweedale <ftwee...@redhat.com> wrote:
> 
> > On Wed, Dec 07, 2016 at 02:11:53PM -0800, Rafael Leiva-Ochoa wrote:
> > > Hi Team,
> > >
> > >  I have installed Dogtag on one of my Raspberry PI 3 devices for
> > > testing. At first it was working great. Then, I noticed that it took a
> > very
> > > long time for the DogTag Start Page to startup when I rebooted my Pi. In
> > > some cases, it took 10min's, but I attributed this to the fact that it
> > was
> > > running on a ARM processor, and it takes a while to start up. Now, for
> > some
> > > reason, I am getting this error:
> > >
> > > HTTP Status 500 - CS server is not ready to serve.
> > >
> > > *type* Exception report
> > >
> > > *message* *CS server is not ready to serve.*
> > >
> > > *description* *The server encountered an internal error that prevented it
> > > from fulfilling this request.*
> > >
> > > *exception*
> > >
> > > java.io.IOException: CS server is not ready to serve.
> > >   com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.
> > java:445)
> > >   javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
> > >   sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > >   sun.reflect.NativeMethodAccessorImpl.invoke(
> > NativeMethodAccessorImpl.java:62)
> > >   sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:43)
> > >   java.lang.reflect.Method.invoke(Method.java:498)
> > >   org.apache.catalina.security.SecurityUtil$1.run(
> > SecurityUtil.java:293)
> > >   org.apache.catalina.security.SecurityUtil$1.run(
> > SecurityUtil.java:290)
> > >   java.security.AccessController.doPrivileged(Native Method)
> > >   javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> > >   org.apache.catalina.security.SecurityUtil.execute(
> > SecurityUtil.java:325)
> > >   org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> > SecurityUtil.java:176)
> > >   java.security.AccessController.doPrivileged(Native Method)
> > >   org.apache.tomcat.websocket.server.WsFilter.doFilter(
> > WsFilter.java:52)
> > >   sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > >   sun.reflect.NativeMethodAccessorImpl.invoke(
> > NativeMethodAccessorImpl.java:62)
> > >   sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:43)
> > >   java.lang.reflect.Method.invoke(Method.java:498)
> > >   org.apache.catalina.security.SecurityUtil$1.run(
> > SecurityUtil.java:293)
> > >   org.apache.catalina.security.SecurityUtil$1.run(
> > SecurityUtil.java:290)
> > >   java.security.AccessCont

Re: [Pki-devel] [Pki-users] CS Server error

[Fraser Tweedale]

(Sorry, I sent this to the wrong list.)

On Thu, Dec 08, 2016 at 01:59:45PM +1000, Fraser Tweedale wrote:
> On Wed, Dec 07, 2016 at 05:29:41PM -0800, Rafael Leiva-Ochoa wrote:
> > Here you goI hope you can help. I am already starting to use it in
> > production testing...I would hate to start all over...: (
> > 
> The error in your log is:
> 
> [06/Dec/2016:23:28:45][localhost-startStop-1]: AuthSubsystem: 
> initializing authentication manager flatFileAuth
> Property auths.instance.flatFileAuth.pluginName missing value
> at 
> com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:258)
> at 
> com.netscape.cmscore.authentication.AuthSubsystem.init(AuthSubsystem.java:200)
> at 
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
> at 
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:582)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
> ... lots more traceback
> 
> This causes a shutdown of the Dogtag application (but not Tomcat
> itself, hence it is still able to respond to HTTP requests).
> 
> Have you modified anything in /etc/pki/pki-tomcat/ca/CS.cfg
> yourself?  If not, perhaps it was an update gone awry, or some other
> corruption of CS.cfg.
> 
> The `flatFileAuth' properties in CS.cfg should be something like:
> 
> auths.instance.flatFileAuth.authAttributes=PWD
> auths.instance.flatFileAuth.deferOnFailure=true
> 
> auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
> auths.instance.flatFileAuth.keyAttributes=UID
> auths.instance.flatFileAuth.pluginName=FlatFileAuth
> 
> Try fixing that up and seeing if Dogtag starts.  If it does not,
> please attach debug log (latter portions thereof) and the CS.cfg.
> 
> Thanks,
> Fraser
> 
> 
> > On Wed, Dec 7, 2016 at 4:25 PM, Fraser Tweedale <ftwee...@redhat.com> wrote:
> > 
> > > On Wed, Dec 07, 2016 at 02:11:53PM -0800, Rafael Leiva-Ochoa wrote:
> > > > Hi Team,
> > > >
> > > >  I have installed Dogtag on one of my Raspberry PI 3 devices for
> > > > testing. At first it was working great. Then, I noticed that it took a
> > > very
> > > > long time for the DogTag Start Page to startup when I rebooted my Pi. In
> > > > some cases, it took 10min's, but I attributed this to the fact that it
> > > was
> > > > running on a ARM processor, and it takes a while to start up. Now, for
> > > some
> > > > reason, I am getting this error:
> > > >
> > > > HTTP Status 500 - CS server is not ready to serve.
> > > >
> > > > *type* Exception report
> > > >
> > > > *message* *CS server is not ready to serve.*
> > > >
> > > > *description* *The server encountered an internal error that prevented 
> > > > it
> > > > from fulfilling this request.*
> > > >
> > > > *exception*
> > > >
> > > > java.io.IOException: CS server is not ready to serve.
> > > >   com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.
> > > java:445)
> > > >   javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
> > > >   sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > >   sun.reflect.NativeMethodAccessorImpl.invoke(
> > > NativeMethodAccessorImpl.java:62)
> > > >   sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > > DelegatingMethodAccessorImpl.java:43)
> > > >   java.lang.reflect.Method.invoke(Method.java:498)
> > > >   org.apache.catalina.security.SecurityUtil$1.run(
> > > SecurityUtil.java:293)
> > > >   org.apache.catalina.security.SecurityUtil$1.run(
> > > SecurityUtil.java:290)
> > > >   java.security.AccessController.doPrivileged(Native Method)
> > > >   javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> > > >   org.apache.catalina.security.SecurityUtil.execute(
> > > SecurityUtil.java:325)
> > > >   org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> > > SecurityUtil.java:176)
> > > >   java.security.AccessController.doPrivileged(Native Method)
> > > >   org.apache.tomcat.websocket.server.WsFilter.doFilter(
> > > WsFilter.java:52)
> > > >   sun.reflec

Re: [Pki-devel] [PATCH] 0167..0175 external authentication support

[Fraser Tweedale]

On Tue, Mar 07, 2017 at 11:16:37AM +1000, Fraser Tweedale wrote:
> Hi team,
> 
> Please review the attached patches, which add support for external
> authentication (e.g. GSS-API/SPNEGO).
> 
> These patches depend on some other outstanding patches:
> 0157, 0158, 0165, 0166.
> 
> You can review the whole branch (including those commits just
> mentioned) on GitHub:
> https://github.com/dogtagpki/pki/compare/master...frasertweedale:feature/1359-gssapi
> 
> Thanks!
> Fraser

7 patches acked by alee; pushed to master:

67d51413323e1d55fdc04ca5edf5d9f05afb0ebe Update ACLInterceptor to support 
external principals
ef84ef36be06944a7f6338ed022f13e066cd5c32 Update SessionContextInterceptor to 
handle external principals
76f60251f7e1b2f1f9ad1752121c0c5cb1cb5b8b Update AuthMethodInterceptor to handle 
external principals
433c7b70d7dd8609dea31b28aee042e48a41ac9f Add IAuthToken implementation for 
external principals
00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e Add groups and request attributes to 
external principals
4cf87aa3babc4c7d8ea60a46cb548ebfee493ae4 CertProcessor: extract method 
setAuthTokenIntoRequest
295cb2f175711a85f371c0fa93c584ad235066e4 Define AgentCertAuthentication token 
keys in IAuthToken

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

[Fraser Tweedale]

Hi team,

Please review attached patches for JSS and Dogtag that:

- add some new EncryptedPrivateKeyInfo export and import functions
  to JSS

- update Dogtag's `pki pkcs12' command to use the new functions to
  achieve AES encryption of the key bags, with wrapping/unwrapping
  occurring on the token.

PKCS #12 files produced by current releases continue to import
properly (of course, this is an important test vector).

These patches do not address the PKCS #12 KRA recovery export; This
is my next task and separate patches will be produced.

Thanks,
Fraser
From de2d7f049eb4462c7442795a77a8a915ae70d216 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 3 Apr 2017 11:07:24 +1000
Subject: [PATCH 0/2] Add SEC_OID mappings for AES ECB/CBC algorithms

---
 org/mozilla/jss/crypto/Algorithm.c  |  8 +++-
 org/mozilla/jss/crypto/Algorithm.h  |  2 +-
 org/mozilla/jss/crypto/Algorithm.java   |  8 
 org/mozilla/jss/crypto/EncryptionAlgorithm.java | 18 --
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/org/mozilla/jss/crypto/Algorithm.c 
b/org/mozilla/jss/crypto/Algorithm.c
index 
8679eadca573fdb2bc7903c3e5d0a1a05d4bbd2f..d32bcad469c45c9edcdd5bedfa5e98f2fab0e3a2
 100644
--- a/org/mozilla/jss/crypto/Algorithm.c
+++ b/org/mozilla/jss/crypto/Algorithm.c
@@ -86,7 +86,13 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
 /* 55 */{SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG},
 /* 56 */{SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
 /* 57 */{CKM_NSS_AES_KEY_WRAP, PK11_MECH},
-/* 58 */{CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH}
+/* 58 */{CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH},
+/* 59 */{SEC_OID_AES_128_ECB, SEC_OID_TAG},
+/* 60 */{SEC_OID_AES_128_CBC, SEC_OID_TAG},
+/* 61 */{SEC_OID_AES_192_ECB, SEC_OID_TAG},
+/* 62 */{SEC_OID_AES_192_CBC, SEC_OID_TAG},
+/* 63 */{SEC_OID_AES_256_ECB, SEC_OID_TAG},
+/* 64 */{SEC_OID_AES_256_CBC, SEC_OID_TAG}
 /* REMEMBER TO UPDATE NUM_ALGS!!! */
 };
 
diff --git a/org/mozilla/jss/crypto/Algorithm.h 
b/org/mozilla/jss/crypto/Algorithm.h
index 
ec2dddb76e66187fce29051069d84293315199f0..c18623185184590799c3c2e0f0627579661051f7
 100644
--- a/org/mozilla/jss/crypto/Algorithm.h
+++ b/org/mozilla/jss/crypto/Algorithm.h
@@ -24,7 +24,7 @@ typedef struct JSS_AlgInfoStr {
 JSS_AlgType type;
 } JSS_AlgInfo;
 
-#define NUM_ALGS 59
+#define NUM_ALGS 65
 
 extern JSS_AlgInfo JSS_AlgTable[];
 extern CK_ULONG JSS_symkeyUsage[];
diff --git a/org/mozilla/jss/crypto/Algorithm.java 
b/org/mozilla/jss/crypto/Algorithm.java
index 
919c2ece0608418015a2f05e7c363cdd70a2b16a..1818bd4703b8d55ae81a64d468a5ade890b21382
 100644
--- a/org/mozilla/jss/crypto/Algorithm.java
+++ b/org/mozilla/jss/crypto/Algorithm.java
@@ -212,4 +212,12 @@ public class Algorithm {
 protected static final short 
SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56;
 protected static final short CKM_NSS_AES_KEY_WRAP=57;
 protected static final short CKM_NSS_AES_KEY_WRAP_PAD=58;
+
+// AES Encryption Algorithms
+protected static final short SEC_OID_AES_128_ECB = 59;
+protected static final short SEC_OID_AES_128_CBC = 60;
+protected static final short SEC_OID_AES_192_ECB = 61;
+protected static final short SEC_OID_AES_192_CBC = 62;
+protected static final short SEC_OID_AES_256_ECB = 63;
+protected static final short SEC_OID_AES_256_CBC = 64;
 }
diff --git a/org/mozilla/jss/crypto/EncryptionAlgorithm.java 
b/org/mozilla/jss/crypto/EncryptionAlgorithm.java
index 
db10305c14f7c5d75920624c1243feae09b0c92a..8e389b47035d51f073a9005756aed0cde915e024
 100644
--- a/org/mozilla/jss/crypto/EncryptionAlgorithm.java
+++ b/org/mozilla/jss/crypto/EncryptionAlgorithm.java
@@ -347,12 +347,14 @@ public class EncryptionAlgorithm extends Algorithm {
 { 2, 16, 840, 1, 101, 3, 4, 1 } );
 
 public static final EncryptionAlgorithm
-AES_128_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB,
+AES_128_ECB = new EncryptionAlgorithm(SEC_OID_AES_128_ECB,
+Alg.AES, Mode.ECB,
 Padding.NONE, (Class)null, 16,
 AES_ROOT_OID.subBranch(1), 128);
 
 public static final EncryptionAlgorithm
-AES_128_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC,
+AES_128_CBC = new EncryptionAlgorithm(SEC_OID_AES_128_CBC,
+Alg.AES, Mode.CBC,
 Padding.NONE, IVParameterSpecClasses, 16,
 AES_ROOT_OID.subBranch(2), 128);
 
@@ -361,11 +363,13 @@ public class EncryptionAlgorithm extends Algorithm {
 Padding.PKCS5, IVParameterSpecClasses, 16, null, 128); // no oid
 
 public static final EncryptionAlgorithm
-AES_192_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB,
+AES_192_ECB = new EncryptionAlgorithm(SEC_OID_AES_192_ECB,
+Alg.AES, Mode.ECB,
 Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(21), 192);
 
 public static final EncryptionAlgorithm
-AES_1

[Pki-devel] KRA questions

[Fraser Tweedale]

Hi all,

I have some questions about KRA operation.  These questions came up
as part of my PKCS #12 AES key bag encryption effort.

1) the kra.allowEncDecrypt.recovery setting controls whether
unwrapping the archived key takes place on a crypto token (the
default) or within Dogtag.  It seems to be an instance-wide setting.

What is the purpose of this setting?  Is it just a provision for
environments that do not support the key (un)wrapping on a token?
Or does it have some other purpose?

2) When kra.allowEncDecrypt.recovery is false, the private keys
being recovered accumulate in the /etc/pki/pki-tomcat/alias NSSDB
(i.e. the NSS internal token).  Presumably the same occurs for
hardware tokens, too.  The unwrapping of the archived key in
RecoveryService.recoverKey() calls with boolean temporary = false;

This seems like the wrong behaviour... why would we want to keep the
key in the token?

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

[Fraser Tweedale]

The attached patch fixes a regression (I think?) where recovered
keys accumulate in the key storage token.

Thanks,
Fraser
From ab470a00827673f327d5f171ff3fdf1baea4ae5e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 6 Apr 2017 16:07:07 +1000
Subject: [PATCH] KRA: do not accumulate recovered keys in token

When using token-based unwrapping of archived keys, the key is being
stored in the token.  We do not want to accumulate the keys here;
make them temporary.

Part of: https://pagure.io/dogtagpki/issue/2610
---
 base/kra/src/com/netscape/kra/RecoveryService.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java 
b/base/kra/src/com/netscape/kra/RecoveryService.java
index 
c89e2f388f037bb8608b24389b26f8076511adf7..817f3f01586e851007d25e0724c03d213f0b6c4a
 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -409,7 +409,7 @@ public class RecoveryService implements IService {
 privKey = mStorageUnit.unwrap(
 keyRecord.getPrivateKeyData(),
 pubkey,
-false,
+true /* temporary */,
 
keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams()));
 } catch (Exception e) {
 mKRA.log(ILogger.LL_FAILURE, 
CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

[Fraser Tweedale]

On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote:
> Hi Fraser,
> 
> Could you please do the following first?
> 
> 1.  file a Mozilla bugzilla bug for this against Product JSS Release 4.4.1,
> then assign to yourself:
> https://bugzilla.mozilla.org/
> 2. After making sure your patch compiles well with the 4.4.1 base, attach
> the patch to that ticket, and mark reviewers
> 
> thanks!
> 
> Christina
> 
Thanks Christina, I filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1355358

I was unable to assign myself to the bug ('Assignee' field is not
active when I go to Edit Bug.

Also not sure how to "mark reviewers".  I added you and Elio to Cc
though.

Thanks,
Fraser

> 
> On 04/04/2017 02:56 AM, Fraser Tweedale wrote:
> > Hi team,
> > 
> > Please review attached patches for JSS and Dogtag that:
> > 
> > - add some new EncryptedPrivateKeyInfo export and import functions
> >to JSS
> > 
> > - update Dogtag's `pki pkcs12' command to use the new functions to
> >achieve AES encryption of the key bags, with wrapping/unwrapping
> >occurring on the token.
> > 
> > PKCS #12 files produced by current releases continue to import
> > properly (of course, this is an important test vector).
> > 
> > These patches do not address the PKCS #12 KRA recovery export; This
> > is my next task and separate patches will be produced.
> > 
> > Thanks,
> > Fraser
> 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0159..0161 Fix config param removal in profile modification

[Fraser Tweedale]

I have created a gerrit review for this patchset:
https://review.gerrithub.io/#/c/357607/

Thanks,
Fraser

On Tue, Feb 07, 2017 at 09:39:52PM +1000, Fraser Tweedale wrote:
> Please review the attached patches which fix
> https://fedorahosted.org/pki/ticket/2588, a bug in profile
> modification where config params can only be added or changed, but
> not removed.
> 
> Thanks,
> Fraser

> From 0a86f63cfe2d5391befe401541e9dcc0dae6ce29 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftwee...@redhat.com>
> Date: Tue, 7 Feb 2017 17:27:06 +1000
> Subject: [PATCH 159/161] LDAPProfileSubsystem: avoid duplicating logic in
>  superclass
> 
> Part of: https://fedorahosted.org/pki/ticket/2588
> ---
>  .../cmscore/profile/AbstractProfileSubsystem.java  |  7 +++-
>  .../cmscore/profile/LDAPProfileSubsystem.java  | 43 
> --
>  2 files changed, 13 insertions(+), 37 deletions(-)
> 
> diff --git 
> a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
>  
> b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
> index 
> 116b8e2026e80b012fb87647fd8924b567194fa3..2a209ad5b2656d65db57d36b7ecb2745527ab081
>  100644
> --- 
> a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
> +++ 
> b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
> @@ -121,7 +121,7 @@ public abstract class AbstractProfileSubsystem implements 
> IProfileSubsystem {
>  /**
>   * Commits a profile.
>   */
> -public void commitProfile(String id)
> +public synchronized void commitProfile(String id)
>  throws EProfileException {
>  IConfigStore cs = mProfiles.get(id).getConfigStore();
>  
> @@ -157,6 +157,11 @@ public abstract class AbstractProfileSubsystem 
> implements IProfileSubsystem {
>  
>  // finally commit the configStore
>  //
> +commitConfigStore(id, cs);
> +}
> +
> +protected void commitConfigStore(String id, IConfigStore cs)
> +throws EProfileException {
>  try {
>  cs.commit(false);
>  } catch (EBaseException e) {
> diff --git 
> a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
>  
> b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
> index 
> fff8ead3f2088aedaf5856c308dd33be90af7779..bce675e7bf993d97a086fb830e34d5c4f396
>  100644
> --- 
> a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
> +++ 
> b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
> @@ -303,43 +303,14 @@ public class LDAPProfileSubsystem
>  readProfile(entry);
>  }
>  
> +/**
> + * Commit the configStore and track the resulting
> + * entryUSN and (in case of add) the nsUniqueId
> + */
>  @Override
> -public synchronized void commitProfile(String id) throws 
> EProfileException {
> -LDAPConfigStore cs = (LDAPConfigStore) 
> mProfiles.get(id).getConfigStore();
> -
> -// first create a *new* profile object from the configStore
> -// and initialise it with the updated configStore
> -//
> -IPluginRegistry registry = (IPluginRegistry)
> -CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
> -String classId = mProfileClassIds.get(id);
> -IPluginInfo info = registry.getPluginInfo("profile", classId);
> -String className = info.getClassName();
> -IProfile newProfile = null;
> -try {
> -newProfile = (IProfile) Class.forName(className).newInstance();
> -} catch (ClassNotFoundException | InstantiationException | 
> IllegalAccessException e) {
> -throw new EProfileException("Could not instantiate class '"
> -+ classId + "' for profile '" + id + "': " + e);
> -}
> -newProfile.setId(id);
> -try {
> -newProfile.init(this, cs);
> -} catch (EBaseException e) {
> -throw new EProfileException(
> -"Failed to initialise profile '" + id + "': " + e);
> -}
> -
> -// next replace the existing profile with the new profile;
> -// this is to avoid any intermediate state where the profile
> -// is not fully initialised with its inputs, outputs and
> -// policy objects.
> -//
> -mProfiles.put(id, newProfile);
> -
> -// finally commit the configStore and track the resulting
> -// entr

[Pki-devel] [PATCH] 0176..0177 small manpage fixes

[Fraser Tweedale]

Please review attached patches that fix a couple of problems in
pkispawn.8 and pki_default.cfg.5.

Thanks,
Fraser
From e6c683eec351be54fb65f22629e78865839bf263 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 9 Mar 2017 14:30:29 +1000
Subject: [PATCH 176/177] pkispawn.8: fix setup-ds.pl command name

---
 base/server/man/man8/pkispawn.8 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index 
40ec7f0ad17acfa3a1e909dfac2ef16782dda6c6..002520a0b2207014989b82001ec4723fefd309f1
 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -1387,7 +1387,7 @@ Directory Server and Admin Server instances can be 
created with the following
 command:
 
 .IP
-\fBsetup-ds-admin.pl\fP
+\fBsetup-ds.pl\fP
 
 .PP
 Enable LDAPS in the Directory Server with the following command:
-- 
2.9.3

From 852c6e5783648bf9786aa6c4c3aa20ff90b86790 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 9 Mar 2017 15:38:50 +1000
Subject: [PATCH 177/177] pki_default.cfg.5: fix ca_signing tag name

---
 base/server/man/man5/pki_default.cfg.5 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/server/man/man5/pki_default.cfg.5 
b/base/server/man/man5/pki_default.cfg.5
index 
1eb4ab99b1863a1927fba0f3f69ccf2e0431211f..856081dcf195df325fe48172f32a2afaeeef8e85
 100644
--- a/base/server/man/man5/pki_default.cfg.5
+++ b/base/server/man/man5/pki_default.cfg.5
@@ -107,7 +107,7 @@ If an optional hardware security module (HSM) is being 
utilized (rather than the
 .SS SYSTEM CERTIFICATE PARAMETERS
 \fBpkispawn\fP sets up a number of system certificates for each subsystem.  
The system certificates which are required differ between subsystems.  Each 
system certificate is denoted by a tag, as noted below.  The different system 
certificates are:
 .IP
-* signing certificate ("signing").  Used to sign other certificates.  Required 
for CA.
+* signing certificate ("ca_signing").  Used to sign other certificates.  
Required for CA.
 .IP
 * OCSP signing certificate ("ocsp_signing" in CA, "signing" in OCSP).  Used to 
sign CRLs.  Required for OCSP and CA.
 .IP
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0163..0165 Include revocation reason in REST cert data

[Fraser Tweedale]

On Mon, Mar 13, 2017 at 03:59:24PM -0400, Ade Lee wrote:
> ACK
> 
Thanks; 0165 pushed to master
(6fa6b692882d00c8228aed7f5780b13f1b09c98c)

> On Wed, 2017-02-22 at 12:12 +1000, Fraser Tweedale wrote:
> > The following patches add the revocation reason to the REST cert
> > data (i.e. GET /ca/rest/certs/{id}).
> > 
> > Patches 0163 and 0164 were pushed under trivial rule.
> > 
> > Please review 0165.
> > 
> > Thanks,
> > Fraser
> > ___
> > Pki-devel mailing list
> > Pki-devel@redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

[Fraser Tweedale]

On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote:
> The attached patch fixes a regression (I think?) where recovered
> keys accumulate in the key storage token.
> 
> Thanks,
> Fraser

Gerrit review: https://review.gerrithub.io/#/c/358632/

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

[Fraser Tweedale]

On Tue, Apr 11, 2017 at 03:23:18PM -0700, Christina Fu wrote:
> Thank you. Please see review comments:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6
> 
> I will review PKCS12Util later.
> 
> Christina
> 
Updated patch jss-0002 and also created
https://bugzilla.mozilla.org/show_bug.cgi?id=1359731 with some
other JSS patches.

Created Gerrit review branch for Dogtag patches:
https://review.gerrithub.io/#/c/358634/.  This includes patch
pki-0178 and also a new patch to change KRA PKCS #12 recovery to use
AES, which depends on the new JSS patches linked above.

Thanks,
Fraser

> 
> On 04/10/2017 11:30 PM, Fraser Tweedale wrote:
> > On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote:
> > > Hi Fraser,
> > > 
> > > Could you please do the following first?
> > > 
> > > 1.  file a Mozilla bugzilla bug for this against Product JSS Release 
> > > 4.4.1,
> > > then assign to yourself:
> > > https://bugzilla.mozilla.org/
> > > 2. After making sure your patch compiles well with the 4.4.1 base, attach
> > > the patch to that ticket, and mark reviewers
> > > 
> > > thanks!
> > > 
> > > Christina
> > > 
> > Thanks Christina, I filed
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1355358
> > 
> > I was unable to assign myself to the bug ('Assignee' field is not
> > active when I go to Edit Bug.
> > 
> > Also not sure how to "mark reviewers".  I added you and Elio to Cc
> > though.
> > 
> > Thanks,
> > Fraser
> > 
> > > On 04/04/2017 02:56 AM, Fraser Tweedale wrote:
> > > > Hi team,
> > > > 
> > > > Please review attached patches for JSS and Dogtag that:
> > > > 
> > > > - add some new EncryptedPrivateKeyInfo export and import functions
> > > > to JSS
> > > > 
> > > > - update Dogtag's `pki pkcs12' command to use the new functions to
> > > > achieve AES encryption of the key bags, with wrapping/unwrapping
> > > > occurring on the token.
> > > > 
> > > > PKCS #12 files produced by current releases continue to import
> > > > properly (of course, this is an important test vector).
> > > > 
> > > > These patches do not address the PKCS #12 KRA recovery export; This
> > > > is my next task and separate patches will be produced.
> > > > 
> > > > Thanks,
> > > > Fraser
> 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

[Fraser Tweedale]

On Wed, Apr 26, 2017 at 06:40:59PM +1000, Fraser Tweedale wrote:
> On Thu, Apr 06, 2017 at 05:22:34PM +1000, Fraser Tweedale wrote:
> > The attached patch fixes a regression (I think?) where recovered
> > keys accumulate in the key storage token.
> > 
> > Thanks,
> > Fraser
> 
> Gerrit review: https://review.gerrithub.io/#/c/358632/
>
ACKed by Ade.  Pushed to master
(da624993c302a81a11f37f984d75c37a467dc5e5)

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Gerrit submit type

[Fraser Tweedale]

To whoever has management permission on gerrithub,

Could you please change the `Submit Type' config to `Rebase if
Necessary'?  This will avoid explicit merge commits without the
developer having to explicitly rebase the change before submitting.

https://gerrit-review.googlesource.com/Documentation/project-configuration.html#submit_type

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel